fix(postgres/iam): explicitly set billing-project flag for projects…

… subcommands All invocations to Google Cloud APIs must be attributed to a project, subject to billing and quotas. The `projects` subcommand invokes an API that is _non-resource-oriented_, which means that the API doesn't have a clear association with a Google project. When using this subcommand in the `gcloud` CLI, usage will thus be attributed to the client's project, as we're authenticating using its OAuth client ID. This is of course owned by a Google controlled project, namely `project_number:32555940559`. As the client and project is shared by all installations of gcloud, this means that everyone is subject to the same quotas for that project. To alleviate resource quota issues, we set the `--billing-project` flag explicitly for relevant `gcloud projects` subcommands to the same project that is operated on. See also https://jpassing.com/2022/10/31/which-project-quota-are-my-api-calls-charged-against/.
nais · Dec 18, 2024 · aeb85d9 · aeb85d9
1 parent 3864e8a
commit aeb85d9
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/pkg/postgres/iam.go b/pkg/postgres/iam.go
@@ -103,6 +103,7 @@ func grantUserAccess(ctx context.Context, projectID, role string, duration time.
 		projectID,
 		"--member", "user:" + email,
 		"--role", role,
+		"--billing-project", projectID,
 	}
 
 	if duration > 0 {
@@ -130,6 +131,7 @@ func cleanupPermissions(ctx context.Context, projectID, email, role, conditionNa
 		"get-iam-policy",
 		projectID,
 		"--format", "json",
+		"--billing-project", projectID,
 	}
 	cmd := exec.CommandContext(ctx, "gcloud", args...)
 	out, err := cmd.Output()
@@ -173,6 +175,7 @@ OUTER:
 		"--member", "user:" + email,
 		"--role", role,
 		"--condition", expr,
+		"--billing-project", projectID,
 	}
 	cmd = exec.CommandContext(ctx, "gcloud", args...)
 	buf := &bytes.Buffer{}