infra/gcp/prod: fix auditor serviceaccount creation

Ensure the auditor service accounts are created _before_ attempting to set an iam policy binding on the service accounts. I will save redoing this to pull out the logic hidden in lib.sh for a future PR
kubernetes · May 4, 2021 · e9d73af · e9d73af
1 parent ecc1ef0
commit e9d73af
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/infra/gcp/ensure-prod-storage.sh b/infra/gcp/ensure-prod-storage.sh
@@ -315,16 +315,17 @@ function ensure_all_prod_special_cases() {
     color 6 "Removing retention on promoter test-prod"
     gsutil retention clear gs://k8s-cip-test-prod
 
+    # Special case: create/add-permissions for necessary service accounts for the auditor.
+    color 6 "Empowering artifact auditor"
+    empower_artifact_auditor "${PROD_PROJECT}"
+    empower_artifact_auditor_invoker "${PROD_PROJECT}"
+
     # Special case: give Cloud Run Admin privileges to the group that will
     # administer the cip-auditor (so that they can deploy the auditor to Cloud Run).
     color 6 "Empowering artifact-admins to release prod auditor"
     empower_group_to_admin_artifact_auditor \
         "${PROD_PROJECT}" \
         "[email protected]"
-    # Special case: create/add-permissions for necessary service accounts for the auditor.
-    color 6 "Empowering artifact auditor"
-    empower_artifact_auditor "${PROD_PROJECT}"
-    empower_artifact_auditor_invoker "${PROD_PROJECT}"
 
     # Special case: empower Kubernetes service account to authenticate as a GCP
     # service account.