Skip to content

Clean up SA keys used as workaround for payment-jobs and ftp-poller GCP pubsub access #33705

Description

@Jxio

Background:
During April 2026, an incident required SA keys to be created as deployment workarounds:

#33222 — ftp-poller deployment issue; SA key sa-api created as workaround
#33223 — payment-jobs unable to publish to activity and account mailer queues; SA key sa-job created as workaround. Multiple PRs were required due to instability (2369 revert gcp config → 2376 revert of revert → 2371 permission check tester)

Goal:
Remove the temporary SA keys once the underlying GCP Workload Identity / IAM configuration is confirmed stable

AC:
Feature branch created for the cleanup
Regression run in dev confirming payment-jobs can publish to AUTH_EVENT_TOPIC and ACCOUNT_MAILER_TOPIC without SA keys
ftp-poller deployment confirmed working without SA key
PR 2355 merged after regression passes
Anish (Patel) notified once keys are safe to delete

Related:
#33222, #33223
PRs: #2355, #2369 #2371, #2376, #2385

Metadata

Metadata

Assignees

No one assigned

    Labels

    PayWork for Pay Team

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions