[goma][rbe] Use task SA if server is set.
Fuchsia relies on using the system service account to access
goma-on-borg, but for the self-hosted goma-on-rbe we can manage our own
SA allowlisting and don't need to rely on this account swapping
behavior.
Bug: 35511
Change-Id: I3a6586eb4f484f6e9f7eb8a53eeb105ccf108c8a
diff --git a/recipe_modules/goma/api.py b/recipe_modules/goma/api.py
index d29956d..4497601 100644
--- a/recipe_modules/goma/api.py
+++ b/recipe_modules/goma/api.py
@@ -180,7 +180,10 @@
if 'GOMA_ARBITRARY_TOOLCHAIN_SUPPORT' not in env:
self._goma_ctl_env[
'GOMA_ARBITRARY_TOOLCHAIN_SUPPORT'] = self._enable_arbritrary_toolchains
- if self._luci_context:
+ # TODO(fxb/35511): This block causes goma to use the `system` service account,
+ # instead of the `task` service account, as we are gaining much more control over
+ # access to goma, we no longer need to rely on this swapping behavior.
+ if not self._server and self._luci_context:
if not self._goma_context:
step_result = self.m.json.read(
'read context',
diff --git a/recipe_modules/goma/examples/full.expected/linux_non_default_server.json b/recipe_modules/goma/examples/full.expected/linux_non_default_server.json
index da13d76..45e6336 100644
--- a/recipe_modules/goma/examples/full.expected/linux_non_default_server.json
+++ b/recipe_modules/goma/examples/full.expected/linux_non_default_server.json
@@ -84,38 +84,6 @@
"cmd": [
"python",
"-u",
- "\nimport shutil\nimport sys\nshutil.copy(sys.argv[1], sys.argv[2])\n",
- "/b/s/w/itOi5hUE/luci_context.475597099",
- "/path/to/tmp/json"
- ],
- "name": "pre_goma.read context",
- "~followup_annotations": [
- "@@@STEP_NEST_LEVEL@1@@@"
- ]
- },
- {
- "cmd": [
- "vpython",
- "-u",
- "RECIPE_MODULE[recipe_engine::file]/resources/fileutil.py",
- "--json-output",
- "/path/to/tmp/json",
- "copy",
- "{\"local_auth\": {\"accounts\": [{\"email\": \"some@example.com\", \"id\": \"test\"}], \"default_account_id\": \"system\"}}",
- "[CLEANUP]/luci_context._tmp_1"
- ],
- "infra_step": true,
- "name": "pre_goma.write context",
- "~followup_annotations": [
- "@@@STEP_NEST_LEVEL@1@@@",
- "@@@STEP_LOG_LINE@luci_context._tmp_1@{\"local_auth\": {\"accounts\": [{\"email\": \"some@example.com\", \"id\": \"test\"}], \"default_account_id\": \"system\"}}@@@",
- "@@@STEP_LOG_END@luci_context._tmp_1@@@"
- ]
- },
- {
- "cmd": [
- "python",
- "-u",
"[CACHE]/goma/client/goma_ctl.py",
"restart"
],
@@ -123,8 +91,7 @@
"GOMA_CACHE_DIR": "[CACHE]/goma",
"GOMA_DEPS_CACHE_FILE": "goma_deps_cache",
"GOMA_DUMP_STATS_FILE": "[CACHE]/goma/client/goma_stats.json",
- "GOMA_SERVER_HOST": "goma.fuchsia.dev",
- "LUCI_CONTEXT": "[CLEANUP]/luci_context._tmp_1"
+ "GOMA_SERVER_HOST": "goma.fuchsia.dev"
},
"infra_step": true,
"name": "pre_goma.start_goma",
@@ -162,8 +129,7 @@
"GOMA_CACHE_DIR": "[CACHE]/goma",
"GOMA_DEPS_CACHE_FILE": "goma_deps_cache",
"GOMA_DUMP_STATS_FILE": "[CACHE]/goma/client/goma_stats.json",
- "GOMA_SERVER_HOST": "goma.fuchsia.dev",
- "LUCI_CONTEXT": "[CLEANUP]/luci_context._tmp_1"
+ "GOMA_SERVER_HOST": "goma.fuchsia.dev"
},
"name": "post_goma.goma_jsonstatus",
"~followup_annotations": [
@@ -192,8 +158,7 @@
"GOMA_CACHE_DIR": "[CACHE]/goma",
"GOMA_DEPS_CACHE_FILE": "goma_deps_cache",
"GOMA_DUMP_STATS_FILE": "[CACHE]/goma/client/goma_stats.json",
- "GOMA_SERVER_HOST": "goma.fuchsia.dev",
- "LUCI_CONTEXT": "[CLEANUP]/luci_context._tmp_1"
+ "GOMA_SERVER_HOST": "goma.fuchsia.dev"
},
"name": "post_goma.goma_stats",
"~followup_annotations": [
@@ -211,8 +176,7 @@
"GOMA_CACHE_DIR": "[CACHE]/goma",
"GOMA_DEPS_CACHE_FILE": "goma_deps_cache",
"GOMA_DUMP_STATS_FILE": "[CACHE]/goma/client/goma_stats.json",
- "GOMA_SERVER_HOST": "goma.fuchsia.dev",
- "LUCI_CONTEXT": "[CLEANUP]/luci_context._tmp_1"
+ "GOMA_SERVER_HOST": "goma.fuchsia.dev"
},
"name": "post_goma.stop_goma",
"~followup_annotations": [