Manage multiple service account for each task in pipeline tekton CI/CD

Question

I have setup the pipeline that does the below work

1. Clone the repo -- has its own secret and service account
2. Build the application -- There are some java libraries that are published in google cloud artifact registry

gradle.build

repositories {
    mavenCentral()
    maven { url "artifactregistry://${LOCATION}-maven.pkg.dev/${PROJECT}/${REPOSITORY}" }
}

Pipeline.yaml

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: fetebird-discount
spec:
  params:
    - name: repo-url
      type: string
      description: The git clone repository url
  workspaces:
    - name: shared-workspace
  tasks:
    - name: clone-repository
      taskRef:
        name: git-clone
      workspaces:
        - name: output
          workspace: shared-workspace
      params:
        - name: url
          value: "$(params.repo-url)"
        - name: deleteExisting
          value: "true"
    - name: build
      taskRef:
        name: gradle
      runAfter:
        - "clone-repository"
      params:
        - name: TASKS
          value: build
        - name: GRADLE_IMAGE
          value: docker.io/library/gradle:jdk17-alpine@sha256:dd16ae381eed88d2b33f977b504fb37456e553a1b9c62100b8811e4d8dec99ff
      workspaces:
        - name: source
          workspace: shared-workspace

pipeline-run.yaml

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: run-pipeline
  namespace: tekton-pipelines
spec:
  serviceAccountName: git-service-account
  pipelineRef:
    name: fetebird-discount
  workspaces:
    - name: shared-workspace
      persistentVolumeClaim:
        claimName: fetebird-discount-pvc
  params:
    - name: repo-url
      value: git@bitbucket.org:anandjaisy/discount.git

During the build process, I get an exception as 403 from server: Forbidden

2022-06-20T11:43:46.901622299Z      Required by:
2022-06-20T11:43:46.905433716Z          project :discount-api
2022-06-20T11:43:46.905908549Z          project :discount-api > project :core
2022-06-20T11:43:46.907587216Z          project :discount-api > project :infrastructure
2022-06-20T11:43:46.910430882Z       > Could not resolve fete.bird:common:1.0.1.
2022-06-20T11:43:46.916549841Z          > Could not get resource 'https://australia-southeast2-maven.pkg.dev/fetebird-350310/common/fete/bird/common/1.0.1/common-1.0.1.pom'.
2022-06-20T11:43:46.919566716Z             > Could not GET 'https://australia-southeast2-maven.pkg.dev/fetebird-350310/common/fete/bird/common/1.0.1/common-1.0.1.pom'. Received status code 403 from server: Forbidden
2022-06-20T11:43:46.920126507Z 
2022-06-20T11:43:46.921247424Z * Try:
2022-06-20T11:43:46.992466299Z > Run with --stacktrace option to get the stack trace.
2022-06-20T11:43:46.994160424Z > Run with --info or --debug option to get more log output.
2022-06-20T11:43:46.994594549Z > Run with --scan to get full insights.
2022-06-20T11:43:46.994759174Z 
2022-06-20T11:43:46.995529757Z * Get more help at https://help.gradle.org
2022-06-20T11:43:46.995904924Z 
2022-06-20T11:43:46.996231841Z BUILD FAILED in 4m 59s

Step failed

GCP Secret

apiVersion: v1
kind: Secret
metadata:
  name: gcp-secret
  namespace: tekton-pipelines
type: kubernetes.io/opaque
stringData:
  gcs-config: |
    {
      "type": "service_account",
      "project_id": "fetebird-350310",
      "private_key_id": "28e8c8df43e6d3849a4202642a8a0cd9cd5c2696",
      "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkbbPVue9R36MfTwqDeI=\n-----END PRIVATE KEY-----\n",
      "client_email": "xxxxx@xxxx-xxx.iam.gserviceaccount.com",
      "client_id": "xxxxxxxxxxx",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://oauth2.googleapis.com/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/fetebird%40fetebird-350310.iam.gserviceaccount.com"
    }

Git-Secret

apiVersion: v1
kind: Secret
metadata:
  name: git-ssh-auth
  annotations:
    tekton.dev/git-0: bitbucket.org # Described below
type: kubernetes.io/ssh-auth
stringData:
  ssh-privatekey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn     DsIZjURL1Lt26DLxTMk+ti6MmiYa8YoAiiffaT+8f3J9QJDqXCdbK+3RNgSn47Pw4PgZr2
      uCgb8M0tPCt4kAAAAac2FuQFNhbnMtTWFjQm9vay1Qcm8ubG9jYWwB
    -----END OPENSSH PRIVATE KEY-----

  # This is non-standard, but its use is encouraged to make this more secure.
  # If it is not provided then the git server's public key will be requested
  # with `ssh-keyscan` during credential initialization.
  known_hosts:
    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHogg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=

Tried to pass like this, but didn't work

apiVersion: v1
kind: ServiceAccount
metadata:
  name: git-service-account
secrets:
  - name: git-ssh-auth
  - name: gcp-secret

How can I resolve this issue.

Answer 1

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: test
  labels:
    tekton.dev/argocd: "tekton-ignore"
  annotations:
    argocd.argoproj.io/sync-options: Prune=false
spec:
  serviceAccountName: test
  taskRunSpecs:
    - pipelineTaskName: test
      taskServiceAccountName: test

Answer 2

serviceAccountNames - Maps specific serviceAccountName values to Tasks in the Pipeline. This overrides the credentials set for the entire Pipeline.

Example

spec:
  serviceAccountName: sa-1
  serviceAccountNames:
    - taskName: build-task
      serviceAccountName: sa-for-build

for this Pipeline:

kind: Pipeline
spec:
  tasks:
    - name: build-task
      taskRef:
        name: build-push
    - name: test-task
      taskRef:
        name: test

then task will execute using the sa-1 account while build-task will execute with sa-for-build.

https://tekton.dev/docs/pipelines/pipelineruns/