terraform - add new role for download via Lit element component

[ghchinoy]

PR #620 introduces a Lit webcomponent for direct asset downloading and utilizes the signed URL for GCS asset access.

@csantos & @awaemmanuel can you review the following and let me know if this is a good course of action.

1. Service Account Identified: The main.tf file creates a dedicated service account for the application:

   • Terraform resource name: google_service_account.creative_studio
   • Account ID: service-creative-studio
   • The full email will be: service-creative-studio@<YOUR_PROJECT_ID>.iam.gserviceaccount.com

2. Missing IAM Role: Of the google_project_iam_member resources, the roles/iam.serviceAccountTokenCreator role is not granted to this service account. Without this, the API call to access the GCS asset will fail, and the download will error with "Failed to retrieve signed URL from API.".

3. Missing Environment Variable: The main.tf file defines a locals block for environment variables. SERVICE_ACCOUNT_EMAIL is not included in this block. The backend code will fail to get the correct service account email to use for signing the URL.

2. main.tf Modifications

Change 1: Add the missing IAM role.

In main.tf, add the following resource block. Potential suggestion, right after the google_project_iam_member.creative_studio_vertex_access resource.

resource "google_project_iam_member" "creative_studio_sa_token_creator" {
  project = var.project_id
  role    = "roles/iam.serviceAccountTokenCreator"
  member  = google_service_account.creative_studio.member
}

Change 2: Add the missing environment variable.

In main.tf, inside the locals block, add the SERVICE_ACCOUNT_EMAIL variable.

locals {
  creative_studio_env_vars = {
    PROJECT_ID          = var.project_id
    LOCATION            = var.region
    SERVICE_ACCOUNT_EMAIL = google_service_account.creative_studio.email # <-- ADD THIS LINE
    MODEL_ID            = var.model_id
    VEO_MODEL_ID        = var.veo_model_id
    # ... keep the rest of the variables
  }
}

[csantos]

Change 1

Looks good to me and matches the docs. Happy to make the change.

Change 2

Couple of question for you...1) is it possible to just use google.auth.default(). service_account_email, or 2) even completely omit the need for explicitly providing the service account name during the call to sign the URL?

For example, the call below works when either running locally or in a deployed container. Locally the perms would be whatever configured via ADC (e.g., impersonated service account or the user account). In the deployed container because ADC would be using the service account configured in Cloud Run, there's no need to explicitly set it in the call to generate_signed_url.

storage_client = storage.Client()
bucket = storage_client.bucket("mybucket")
blob = bucket.get_blob("generated_images/1234567890/sample_0.png")
url = blob.generate_signed_url(expiration=datetime.timedelta(minutes=15), method="GET")

When running locally since it's just on a dev's machine, I think it's okay to have the download link created using their account - that link isn't going to be used anywhere except by them. When deployed, it's the service account that would be implicitly picked up by the Storage Client, so the URL would be signed with the service account w/o having to explicitly pass the parameter in the generate_signed_url call. If the dev wanted to mimic this behavior, they'd just have to set ADC to impersonate the service account a la gcloud auth application-default login --impersonate-service-account=service-creative-studio@project-id.iam.gserviceaccount.com

Let me know your thoughts and I can make the necessary changes.