From 28ebe5d0b0c8e30fa1a9c60f03e411086c00ad3d Mon Sep 17 00:00:00 2001
From: Victor Hugo Vianna Silva <victorvianna@google.com>
Date: Thu, 16 Oct 2025 18:26:02 +0100
Subject: [PATCH] Fix led failing due to service account disallowed

Follow-up to https://crrev.com/c/7046060.
Comparing the files below, we see the issue's root cause.

https://source.chromium.org/chromium/chromium/src/+/main:third_party/libyuv/infra/config/cr-buildbucket.cfg;l=607-620;drc=110e00ea9693e9feed3f6bb49cf7a9497440bca1
https://source.chromium.org/chromium/chromium/src/+/main:third_party/angle/infra/config/generated/cr-buildbucket.cfg;l=2143-2154;drc=722572ab69816657492c1155dad7f99e3e2629ea

Bug: None
Change-Id: Iaf339950db4e8b414719057ae81ba5b850f0aace
Reviewed-on: https://chromium-review.googlesource.com/c/libyuv/libyuv/+/7050097
Reviewed-by: Wan-Teh Chang <wtc@google.com>
Reviewed-by: Jeremy Leconte <jleconte@google.com>
Reviewed-by: Frank Barchard <fbarchard@chromium.org>
---
 infra/config/cr-buildbucket.cfg | 2 ++
 infra/config/main.star          | 6 ++++++
 infra/config/realms.cfg         | 8 ++++++++
 3 files changed, 16 insertions(+)

diff --git a/infra/config/cr-buildbucket.cfg b/infra/config/cr-buildbucket.cfg
index 3388f02fb..3dc066c09 100644
--- a/infra/config/cr-buildbucket.cfg
+++ b/infra/config/cr-buildbucket.cfg
@@ -615,6 +615,7 @@ buckets {
   }
   constraints {
     pools: "luci.flex.ci"
+    service_accounts: "libyuv-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
   }
   dynamic_builder_template {}
 }
@@ -1173,6 +1174,7 @@ buckets {
   }
   constraints {
     pools: "luci.flex.try"
+    service_accounts: "libyuv-try-builder@chops-service-accounts.iam.gserviceaccount.com"
   }
   dynamic_builder_template {}
 }
diff --git a/infra/config/main.star b/infra/config/main.star
index 32e2505e4..50f464dea 100755
--- a/infra/config/main.star
+++ b/infra/config/main.star
@@ -177,6 +177,9 @@ luci.bucket(
     shadows = "ci",
     constraints = luci.bucket_constraints(
         pools = ["luci.flex.ci"],
+        service_accounts = [
+          "libyuv-ci-builder@chops-service-accounts.iam.gserviceaccount.com",
+        ],
     ),
     bindings = [
         # For led permissions.
@@ -212,6 +215,9 @@ luci.bucket(
     shadows = "try",
     constraints = luci.bucket_constraints(
         pools = ["luci.flex.try"],
+        service_accounts = [
+            "libyuv-try-builder@chops-service-accounts.iam.gserviceaccount.com",
+        ],
     ),
     bindings = [
         # For led permissions.
diff --git a/infra/config/realms.cfg b/infra/config/realms.cfg
index ba9b20b89..b4bae90ea 100644
--- a/infra/config/realms.cfg
+++ b/infra/config/realms.cfg
@@ -64,6 +64,10 @@ realms {
 }
 realms {
   name: "ci.shadow"
+  bindings {
+    role: "role/buildbucket.builderServiceAccount"
+    principals: "user:libyuv-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+  }
   bindings {
     role: "role/buildbucket.creator"
     principals: "group:chromium-led-users"
@@ -93,6 +97,10 @@ realms {
 }
 realms {
   name: "try.shadow"
+  bindings {
+    role: "role/buildbucket.builderServiceAccount"
+    principals: "user:libyuv-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+  }
   bindings {
     role: "role/buildbucket.creator"
     principals: "group:chromium-led-users"