{"html_url": "https://github.com/simonw/datasette/issues/1415#issuecomment-1255603780", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1415", "id": 1255603780, "node_id": "IC_kwDOBm6k_c5K1v5E", "user": {"value": 17532695, "label": "bendnorman"}, "created_at": "2022-09-22T22:06:10Z", "updated_at": "2022-09-22T22:06:10Z", "author_association": "NONE", "body": "This would be great! I just went through the process of figuring out the minimum permissions for a service account to run `datasette publish cloudrun` for [PUDL](https://github.com/catalyst-cooperative/pudl)'s [datasette deployment](https://data.catalyst.coop/). These are the roles I gave the service account (disclaim: I'm not sure these are the minimum permissions):\r\n\r\n- Cloud Build Service Account: The SA needs this role to publish the build on Cloud Build. \r\n- Cloud Run Admin for the Cloud Run datasette service so the SA can deploy the build.\r\n- I gave the SA the Storage Admin role on the bucket Cloud Build creates to store the build tar files. \r\n- The Viewer Role is [required for storing build logs in the default bucket](https://cloud.google.com/build/docs/running-builds/submit-build-via-cli-api#permissions). More on this below!\r\n\r\nThe Viewer Role is a Basic IAM role that [Google does not recommend using](https://cloud.google.com/build/docs/running-builds/submit-build-via-cli-api#permissions):\r\n\r\n> Caution: Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant basic roles unless there is no alternative. Instead, grant the most limited [predefined roles](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles) or [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that meet your needs.\r\n\r\nIf you don't grant the Viewer role the `gcloud builds submit` command will successfully create a build but returns exit code 1, preventing the script from getting to the cloud run step:\r\n\r\n```\r\nERROR: (gcloud.builds.submit)\r\nThe build is running, and logs are being written to the default logs bucket.\r\nThis tool can only stream logs if you are Viewer/Owner of the project and, if applicable, allowed by your VPC-SC security policy.\r\n\r\nThe default logs bucket is always outside any VPC-SC security perimeter.\r\nIf you want your logs saved inside your VPC-SC perimeter, use your own bucket.\r\nSee https://cloud.google.com/build/docs/securing-builds/store-manage-build-logs.\r\n```\r\nlong stack trace...\r\n```\r\nCalledProcessError: Command 'gcloud builds submit --tag gcr.io/catalyst-cooperative-pudl/datasette' returned non-zero exit status 1.\r\n```\r\n\r\nYou can store Cloud Build logs in a [user-created bucket](https://cloud.google.com/build/docs/securing-builds/store-manage-build-logs#store-custom-bucket) which only requires the Storage Admin role. However, you have to pass a config file to `gcloud builds submit`, which isn't possible with the current options for `datasette publish cloudrun`. \r\n\r\nI propose we add an additional CLI option to `datasette publish cloudrun` called `--build-config` that allows users to pass a [config file](https://cloud.google.com/build/docs/running-builds/submit-build-via-cli-api#running_builds) specifying a user create Cloud Build log bucket. ", "reactions": "{\"total_count\": 1, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 1, \"eyes\": 0}", "issue": {"value": 959137143, "label": "feature request: document minimum permissions for service account for cloudrun"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1091#issuecomment-758280611", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1091", "id": 758280611, "node_id": "MDEyOklzc3VlQ29tbWVudDc1ODI4MDYxMQ==", "user": {"value": 6739646, "label": "tballison"}, "created_at": "2021-01-11T23:06:10Z", "updated_at": "2021-01-11T23:06:10Z", "author_association": "NONE", "body": "+1\r\n\r\nYep!  Fixes it.  If I navigate to https://corpora.tika.apache.org/datasette, I get a 404 (database not found: datasette), but if I navigate to https://corpora.tika.apache.org/datasette/file_profiles/, everything WORKS!\r\n\r\nThank you!", "reactions": "{\"total_count\": 1, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 1, \"eyes\": 0}", "issue": {"value": 742011049, "label": ".json and .csv exports fail to apply base_url"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/187#issuecomment-489353316", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/187", "id": 489353316, "node_id": "MDEyOklzc3VlQ29tbWVudDQ4OTM1MzMxNg==", "user": {"value": 46059, "label": "carsonyl"}, "created_at": "2019-05-04T18:36:36Z", "updated_at": "2019-05-04T18:36:36Z", "author_association": "NONE", "body": "Hi @simonw - I just hit this issue when trying out Datasette after your PyCon talk today. Datasette is pinned to Sanic 0.7.0, but it looks like 0.8.0 added the option to remove the uvloop dependency for Windows by having an environment variable `SANIC_NO_UVLOOP` at install time. Maybe that'll be sufficient before a port to Starlette?", "reactions": "{\"total_count\": 1, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 1, \"eyes\": 0}", "issue": {"value": 309033998, "label": "Windows installation error"}, "performed_via_github_app": null}