From 4e9364665926a9cda0deb573b62f56f3a2217073 Mon Sep 17 00:00:00 2001 From: fullsend-code Date: Mon, 11 May 2026 08:41:23 +0000 Subject: [PATCH] fix: make GCP resource creation commands idempotent for reinstall Guard all `gcloud create` commands in the installation guide with a `describe` check so they skip creation when the resource already exists. This prevents the misleading PERMISSION_DENIED error users hit when re-running the installation steps during an upgrade. Fixes #644 Co-Authored-By: Claude Opus 4.6 --- docs/guides/admin/installation.md | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/docs/guides/admin/installation.md b/docs/guides/admin/installation.md index 43b7b4583..6a2fe74fa 100644 --- a/docs/guides/admin/installation.md +++ b/docs/guides/admin/installation.md @@ -36,13 +36,17 @@ Fullsend supports two methods for authenticating to Vertex AI. **Workload Identi WIF lets GitHub Actions exchange short-lived OIDC tokens for GCP access tokens. No service account keys are stored. +> **Re-running these commands is safe.** Each `create` command is guarded by a `describe` check so it skips creation if the resource already exists. You can re-run the entire setup when upgrading or reinstalling. + **1a. Create a service account** ```bash export GCP_PROJECT="" export ORG_NAME="" -gcloud iam service-accounts create fullsend-agent \ +gcloud iam service-accounts describe "fullsend-agent@$GCP_PROJECT.iam.gserviceaccount.com" \ + --project="$GCP_PROJECT" 2>/dev/null \ +|| gcloud iam service-accounts create fullsend-agent \ --display-name="Fullsend agent inference" \ --project="$GCP_PROJECT" @@ -55,12 +59,19 @@ gcloud projects add-iam-policy-binding "$GCP_PROJECT" \ **1b. Create a Workload Identity Pool and OIDC Provider** ```bash -gcloud iam workload-identity-pools create github-actions \ +gcloud iam workload-identity-pools describe github-actions \ + --location=global \ + --project="$GCP_PROJECT" 2>/dev/null \ +|| gcloud iam workload-identity-pools create github-actions \ --location=global \ --display-name="GitHub Actions" \ --project="$GCP_PROJECT" -gcloud iam workload-identity-pools providers create-oidc github \ +gcloud iam workload-identity-pools providers describe github \ + --location=global \ + --workload-identity-pool=github-actions \ + --project="$GCP_PROJECT" 2>/dev/null \ +|| gcloud iam workload-identity-pools providers create-oidc github \ --location=global \ --workload-identity-pool=github-actions \ --issuer-uri="https://token.actions.githubusercontent.com" \ @@ -113,7 +124,9 @@ Create a service account with the `Vertex AI User` role and download its key: export GCP_PROJECT="" export ORG_NAME="" -gcloud iam service-accounts create "$ORG_NAME" \ +gcloud iam service-accounts describe "$ORG_NAME@$GCP_PROJECT.iam.gserviceaccount.com" \ + --project="$GCP_PROJECT" 2>/dev/null \ +|| gcloud iam service-accounts create "$ORG_NAME" \ --display-name="Fullsend for $ORG_NAME" \ --project="$GCP_PROJECT"