Cleanup-script-does-not-delete-DF-created-service-accounts

7b0765c6 · Vadzim Beuzo [EPAM / GCP] · Oleksandr Kosse (EPAM) · 8d3c02c9 · 7b0765c6
Commit 7b0765c6 authored 3 months ago by Vadzim Beuzo [EPAM / GCP] Committed by Oleksandr Kosse (EPAM) 3 months ago
--- a/tools/environment-cleanup/cleanup.sh
+++ b/tools/environment-cleanup/cleanup.sh
@@ -377,32 +377,39 @@ clean_service_accounts() {
  # Cleanup Service Accounts and associated IAM bindings
  while [ $retries -lt $max_retries ]; do
    if [[ -n $service_account_for_script ]]; then
-      service_account_list=$(gcloud iam service-accounts list --format 'value(email)' --filter="(email:iam.gserviceaccount.com AND -email:$service_account_for_script)")
+      service_account_list=$(gcloud iam service-accounts list --format 'value(email)' --filter="(email:iam.gserviceaccount.com AND -email:$service_account_for_script)" | \
+      awk '{print $1}')
    else
      if [[ $destroy_all ]]; then 
-        service_account_list=$(gcloud iam service-accounts list --format 'value(email)' --filter email:"iam.gserviceaccount.com")
+        service_account_list=$(gcloud iam service-accounts list --format 'value(email)' --filter email:"iam.gserviceaccount.com" | \
+        awk '{print $1}')
      else 
        service_account_list=$(gcloud iam service-accounts list --format="value(email)" --filter email:"iam.gserviceaccount.com" | \
-                              grep -E 'datafier|gke-cluster-node-pool-sa|airflow-sa|wi-' | \
-                              awk '{print $1}')
+        grep -E 'datafier|gke-cluster-node-pool-sa|airflow-sa|wi-' | \
+        awk '{print $1}')
      fi
    fi

    if [ -n "$service_account_list" ]; then
      for service_account in $service_account_list; do
-        service_account_role_list=$(gcloud projects get-iam-policy "$project" --flatten=bindings[].members --filter bindings.members:"$service_account" --format 'value(bindings.role)')
-
-        for service_account_role in $service_account_role_list; do
-          gcloud projects remove-iam-policy-binding "$project" \
-            --member serviceAccount:"$service_account" \
-            --role "$service_account_role" \
+        service_account_role_list=$(gcloud projects get-iam-policy "$project" \
+        --flatten=bindings[].members \
+        --filter bindings.members:"$service_account" \
+        --format 'value(bindings.members, bindings.role)')
+
+        while read -r member role; do
+          if [[ -n "$member" && -n "$role" ]]; then
+            echo "Removing role $role from member $member"
+            gcloud projects remove-iam-policy-binding "$project" \
+            --member="$member" \
+            --role="$role" \
+            --quiet \
            --no-user-output-enabled
-        done
-
+          fi
+        done <<< "$service_account_role_list"
        gcloud iam service-accounts delete "$service_account" --quiet
        echo "Deleted Service Account: $service_account"
      done
-
      echo "Service accounts cleanup finished."
      return
    else
@@ -411,7 +418,6 @@ clean_service_accounts() {
      sleep 5
    fi
  done
-
  echo "Service accounts cleanup skipped after $max_retries attempts."
 }