Skip IAM for the Agent Gateway Service Agent (#3893)

2026-04-21 12:33:14 +02:00
parent 13cd282d3b
commit c995ffba07
5 changed files with 31 additions and 5 deletions
--- a/modules/apigee/recipe-apigee-swp/README.md
+++ b/modules/apigee/recipe-apigee-swp/README.md
@@ -54,4 +54,4 @@ module "recipe_apigee_swp" {
    subnet_proxy_only_ip_cidr_range = "10.16.2.0/24"
  }
 }
-# tftest modules=10 resources=44
+# tftest modules=10 resources=43
--- a/modules/project/service-agents.yaml
+++ b/modules/project/service-agents.yaml
@@ -1,4 +1,4 @@
-# Copyright 2025 Google LLC
+# Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -147,7 +147,7 @@
  role: roles/agentgateway.serviceAgent
  is_primary: false
  aliases: []
-  skip_iam: false
+  skip_iam: true
 - name: alloydb
  display_name: AlloyDB Service Account
  api: alloydb.googleapis.com
@@ -1430,6 +1430,14 @@
  is_primary: true
  aliases: []
  skip_iam: false
+- name: run-ai
+  display_name: Google Cloud Run AI Bundle Service Agent
+  api: run.googleapis.com
+  identity: service-${project_number}@gcp-sa-run-ai.${universe_domain}iam.gserviceaccount.com
+  role: null
+  is_primary: false
+  aliases: []
+  skip_iam: false
 - name: serverless-robot-prod
  display_name: Google Cloud Run Service Agent
  api: run.googleapis.com
@@ -2116,3 +2124,4 @@
  is_primary: false
  aliases: []
  skip_iam: false
+
--- a/tests/modules/project/service_agents.yaml
+++ b/tests/modules/project/service_agents.yaml
@@ -1,4 +1,4 @@
-# Copyright 2025 Google LLC
+# Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -145,6 +145,14 @@ outputs:
      is_primary: true
      name: serverless-robot-prod
      role: roles/run.serviceAgent
+    run-ai:
+      api: run.googleapis.com
+      display_name: Google Cloud Run AI Bundle Service Agent
+      email: service-12345@gcp-sa-run-ai.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@gcp-sa-run-ai.iam.gserviceaccount.com
+      is_primary: false
+      name: run-ai
+      role: null
    serverless-robot-prod:
      api: run.googleapis.com
      display_name: Google Cloud Run Service Agent
--- a/tests/modules/project/service_agents_universe.yaml
+++ b/tests/modules/project/service_agents_universe.yaml
@@ -147,6 +147,14 @@ outputs:
      is_primary: true
      name: serverless-robot-prod
      role: roles/run.serviceAgent
+    run-ai:
+      api: run.googleapis.com
+      display_name: Google Cloud Run AI Bundle Service Agent
+      email: service-12345@gcp-sa-run-ai.alpha-system.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@gcp-sa-run-ai.alpha-system.iam.gserviceaccount.com
+      is_primary: false
+      name: run-ai
+      role: null
    serverless-robot-prod:
      api: run.googleapis.com
      display_name: Google Cloud Run Service Agent
--- a/tools/build_service_agents.py
+++ b/tools/build_service_agents.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3

-# Copyright 2025 Google LLC
+# Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -74,6 +74,7 @@ SKIP_IAM_AGENTS = [
    'service-PROJECT_NUMBER@gcp-sa-scc-notification.iam.gserviceaccount.com',
    'service-PROJECT_NUMBER@gcp-sa-securitycenter.iam.gserviceaccount.com',
    'service-PROJECT_NUMBER@gcp-sa-ns-authz.iam.gserviceaccount.com',
+    'service-PROJECT_NUMBER@gcp-sa-agentgateway.iam.gserviceaccount.com',
 ]

 AGENT_NAME_OVERRIDE = {