cloudbuild: iam policy for lookup_service

IAM policy binding for the lookup service cloud functions. This was
earlier managed through terraform, moving it here to that all cloud
function related resources are managed through cloudbuild.

BUG=b:264670075
TEST=Push patchset to gerrit && validate deployment on the staging cloud
run service

Change-Id: I079137c8fedaf8fc829a80bdcbe93bd8a943cdd9
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/infra/build/prebuilts-cloud/+/5095906
Tested-by: GCB User <782851717939@cloudbuild.gserviceaccount.com>
Reviewed-by: Cindy Lin <xcl@google.com>
Tested-by: Nikhil Gumidelli <nikhilgm@google.com>
Commit-Queue: Nikhil Gumidelli <nikhilgm@google.com>
diff --git a/cloudbuild/prod-cloudbuild.yaml b/cloudbuild/prod-cloudbuild.yaml
index ca9be06..d2fabf2 100644
--- a/cloudbuild/prod-cloudbuild.yaml
+++ b/cloudbuild/prod-cloudbuild.yaml
@@ -1,4 +1,5 @@
 steps:
+# Cloud function to lookup binhosts.
 - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
   args:
   - gcloud
@@ -13,6 +14,18 @@
   - --service-account=prod-binhost-lookup-service@chromeos-prebuilts.iam.gserviceaccount.com
   - --source=cloud_functions/.
   - --trigger-http
+# IAM policy binding to make the lookup binhosts endpoint public.
+- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
+  args:
+  - gcloud
+  - run
+  - services
+  - add-iam-policy-binding
+  - prod-lookup-service-binhosts
+  - --member=allUsers
+  - --region=us-central1
+  - --role=roles/run.invoker
+# Cloud function to update binhost metadata.
 - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
   args:
   - gcloud
@@ -31,6 +44,7 @@
   - --source=cloud_functions/.
   - --trigger-topic=prod-update_binhost_data
   - --vpc-connector=prod-prebuilts-conn
+# Cloud function to update snapshot metadata.
 - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
   args:
   - gcloud
diff --git a/cloudbuild/staging-cloudbuild.yaml b/cloudbuild/staging-cloudbuild.yaml
index 8224f28..717a386 100644
--- a/cloudbuild/staging-cloudbuild.yaml
+++ b/cloudbuild/staging-cloudbuild.yaml
@@ -1,4 +1,5 @@
 steps:
+# Cloud function to lookup binhosts.
 - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
   args:
   - gcloud
@@ -13,6 +14,18 @@
   - --service-account=staging-binhost-lookup-service@chromeos-prebuilts.iam.gserviceaccount.com
   - --source=cloud_functions/.
   - --trigger-http
+# IAM policy binding to make the lookup binhosts endpoint public.
+- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
+  args:
+  - gcloud
+  - run
+  - services
+  - add-iam-policy-binding
+  - staging-lookup-service-binhosts
+  - --member=allUsers
+  - --region=us-central1
+  - --role=roles/run.invoker
+# Cloud function to update binhost metadata.
 - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
   args:
   - gcloud
@@ -31,6 +44,7 @@
   - --source=cloud_functions/.
   - --trigger-topic=staging-update_binhost_data
   - --vpc-connector=staging-prebuilts-conn
+# Cloud function to update snapshot metadata.
 - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
   args:
   - gcloud