Enable Terra Service Accounts to use Github Actions
Hello Terra team!
I work with educators and outreach who develop automated publishing tools. Specifically, we've created the OTTR Project which automates the publication of Rmd notebooks to platforms like Leanpub and Coursera via GitHub Actions. We think Terra/AnVIL would make a fantastic addition to the collection of platforms, helping folks "Learn Terra on Terra".
In order to enable publishing to Terra/AnVIL with GitHub Actions, a Google Cloud Service Account needs Storage Object Admin permissions to write updated notebooks to the associated Workspace Bucket. Conveniently, Terra projects in GCP automatically create Service Accounts that could be used (image below). The GC Service Account is securely authenticated with Workload Identity Federation or a secret key.
The request: Can we grant the Terra-created Google Service Accounts Storage Object Admin permissions?
Thank you!
Comments
3 comments
Hi Ava,
Thanks for writing in with this feature request! We are currently looking into what permissions these service accounts currently have. I'll update you as we learn more!
Best,
Emily
This would be great!
Hi Ava,
The pet service accounts are created by Terra to act on your behalf when interacting with Google Cloud services. Therefore, they should already have the same permissions that your Terra account has.
In this case, I think what needs to be done is that you need to create a new service account and register it for Terra using these instructions. Then share your workspace(s) with that service account - WRITER or OWNER access should give it the Storage Object Admin permission you're looking for.
I'd also like to mention that there is a Featured Workspace on Terra that already has this Github integration set up so it may be helpful for you to see how they've configured the GitHub actions: https://app.terra.bio/#workspaces/help-gatk/Terra%20Notebooks%20Playground.
Here is the repo where the notebooks are stored: https://github.com/DataBiosphere/terra-examples/tree/main/terra_notebooks_playground
And here is the workflow to publish the notebooks to the workspace: https://github.com/DataBiosphere/terra-examples/actions/runs/2964912314/workflow
I hope this helps.
Best,
Samantha
Please sign in to leave a comment.