Remove service account usage from Packer examples

- hidden bug was causing Packer to always use default Compute Engine service account - IAM bindings do not propagate in time for these examples to work - minimum IAM bindings are already documented
GoogleCloudPlatform · Mar 15, 2024 · 37c763f · 37c763f
1 parent 30ddb67
commit 37c763f
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 23 deletions.
diff --git a/examples/image-builder-v6.yaml b/examples/image-builder-v6.yaml
@@ -48,16 +48,6 @@ deployment_groups:
           #!/bin/sh
           echo "Hello World" > /home/hello.txt
 
-  - id: builder_sa
-    source: community/modules/project/service-account
-    settings:
-      name: pkr
-      project_roles:
-      - compute.instanceAdmin.v1
-      - logging.logWriter
-      - monitoring.metricWriter
-      - storage.objectViewer
-
 - group: packer
   modules:
   - id: custom-image
@@ -66,7 +56,6 @@ deployment_groups:
     use:
     - network
     - scripts_for_image
-    - builder_sa
     settings:
       source_image_project_id: [schedmd-slurm-public]
       # see latest in https://github.com/GoogleCloudPlatform/slurm-gcp/blob/master/docs/images.md#published-image-family

diff --git a/examples/image-builder.yaml b/examples/image-builder.yaml
@@ -49,16 +49,6 @@ deployment_groups:
           #!/bin/sh
           echo "Hello World" > /home/hello.txt
 
-  - id: builder_sa
-    source: community/modules/project/service-account
-    settings:
-      name: pkr
-      project_roles:
-      - compute.instanceAdmin.v1
-      - logging.logWriter
-      - monitoring.metricWriter
-      - storage.objectViewer
-
 - group: packer
   modules:
   - id: custom-image
@@ -67,7 +57,6 @@ deployment_groups:
     use:
     - network1
     - scripts_for_image
-    - builder_sa
     settings:
       source_image_project_id: [schedmd-slurm-public]
       # see latest in https://github.com/GoogleCloudPlatform/slurm-gcp/blob/master/docs/images.md#published-image-family

diff --git a/modules/packer/custom-image/README.md b/modules/packer/custom-image/README.md
@@ -75,7 +75,8 @@ buckets. Recommended roles are:
 - `roles/monitoring.metricWriter`
 - `roles/storage.objectViewer`
 
-These roles are demonstrated in the [image builder example][examples readme].
+It is recommended to create this service account as a separate step outside a
+blueprint due to known delay in [IAM bindings propagation][iamprop].
 
 ## Example blueprints
 
@@ -315,6 +316,7 @@ No outputs.
 [cloudnat]: https://cloud.google.com/nat/docs/overview
 [examples readme]: ../../../examples/README.md#image-builderyaml-
 [hpcimage]: https://cloud.google.com/compute/docs/instances/create-hpc-vm
+[iamprop]: https://cloud.google.com/iam/docs/access-change-propagation
 [iaptunnel]: https://cloud.google.com/iap/docs/using-tcp-forwarding
 [image builder]: ../../../examples/image-builder.yaml
 [logging-console]: https://console.cloud.google.com/logs/