testing: use default service account (#4128)

Author: Takashi Matsuo

.kokoro/tests/run_tests.sh

@@ -55,13 +55,20 @@ fi
 # quota related errors. I think we can avoid this by changing the
 # order of tests to execute (e.g. reverse order for py-3.8
 # build). Currently there's no easy way to do that with btlr, so we
-# temporarily wait few minutes to avoid quota issue for py-3.8
-# presubmit build.
-if [[ "${RUN_TESTS_SESSION}" == "py-3.8" ]] \
-       && [[ "${KOKORO_JOB_NAME}" == *presubmit ]]; then
-    echo -n "Detected py-3.8 presubmit build,"
-    echo "Wait few minutes to avoid quota issues."
-    sleep 5m
+# temporarily wait few minutes to avoid quota issue for some
+# presubmit builds.
+if [[ "${KOKORO_JOB_NAME}" == *presubmit ]] \
+       && [[ -z "${DIFF_FROM:-}" ]]; then
+    if [[ "${RUN_TESTS_SESSION}" == "py-3.7" ]]; then
+	echo -n "Detected py-3.7 presubmit full build,"
+	echo "Wait 5 minutes to avoid quota issues."
+	sleep 5m
+    fi
+    if [[ "${RUN_TESTS_SESSION}" == "py-3.8" ]]; then
+	echo -n "Detected py-3.8 presubmit full build,"
+	echo "Wait 10 minutes to avoid quota issues."
+	sleep 10m
+    fi
 fi
 
 if [[ -z "${PROJECT_ROOT:-}" ]]; then
@@ -76,11 +83,9 @@ export PATH="${HOME}/.local/bin:${PATH}"
 # install nox for testing
 pip install --user -q nox
 
-# Use secrets acessor service account to get secrets.
-if [[ -f "${KOKORO_GFILE_DIR}/secrets_viewer_service_account.json" ]]; then
-    gcloud auth activate-service-account \
-	   --key-file="${KOKORO_GFILE_DIR}/secrets_viewer_service_account.json" \
-	   --project="cloud-devrel-kokoro-resources"
+# On kokoro, we should be able to use the default service account. We
+# need to somehow bootstrap the secrets on other CI systems.
+if [[ "${TRAMPOLINE_CI}" == "kokoro" ]]; then
     # This script will create 3 files:
     # - testing/test-env.sh
     # - testing/service-account.json

.kokoro/trampoline_v2.sh

@@ -133,27 +133,29 @@ if [[ -n "${KOKORO_BUILD_ID:-}" ]]; then
     # descriptive env var for indicating it's on CI.
     RUNNING_IN_CI="true"
     TRAMPOLINE_CI="kokoro"
+    # We should be able to use the default service account.
+    log_yellow "Configuring Container Registry access"
+    gcloud auth list
+    gcloud auth configure-docker --quiet
 fi
 
 # Configure the service account for pulling the docker image.
-if [[ "${TRAMPOLINE_CI:-}" == "kokoro" ]]; then
-    # Now we're re-using the trampoline service account.
-    # Potentially we can pass down this key into Docker for
-    # bootstrapping secret.
-    SERVICE_ACCOUNT_KEY_FILE="${KOKORO_GFILE_DIR}/kokoro-trampoline.service-account.json"
+if [[ -n "${TRAMPOLINE_SERVICE_ACCOUNT:-}" ]]; then
 
     mkdir -p "${tmpdir}/gcloud"
     gcloud_config_dir="${tmpdir}/gcloud"
 
     log_yellow "Using isolated gcloud config: ${gcloud_config_dir}."
     export CLOUDSDK_CONFIG="${gcloud_config_dir}"
 
-    log_yellow "Using ${SERVICE_ACCOUNT_KEY_FILE} for authentication."
+    log_yellow "Using ${TRAMPOLINE_SERVICE_ACCOUNT} for authentication."
     gcloud auth activate-service-account \
-	   --key-file "${SERVICE_ACCOUNT_KEY_FILE}"
+	   --key-file "${TRAMPOLINE_SERVICE_ACCOUNT}"
+    log_yellow "Configuring Container Registry access"
     gcloud auth configure-docker --quiet
 fi
 
+
 log_yellow "Changing to the project root: ${PROJECT_ROOT}."
 cd "${PROJECT_ROOT}"
 

scripts/decrypt-secrets.sh

@@ -32,10 +32,13 @@ fi
 PROJECT_ID="${SECRET_MANAGER_PROJECT:-cloud-devrel-kokoro-resources}"
 
 gcloud secrets versions access latest --secret="python-docs-samples-test-env" \
+       --project="${PROJECT_ID}" \
        > testing/test-env.sh
 gcloud secrets versions access latest \
        --secret="python-docs-samples-service-account" \
+       --project="${PROJECT_ID}" \
        > testing/service-account.json
 gcloud secrets versions access latest \
        --secret="python-docs-samples-client-secrets" \
+       --project="${PROJECT_ID}" \
        > testing/client-secrets.json