From d036d72ddaf61a7a33e7616405a65314e5b4fef7 Mon Sep 17 00:00:00 2001
From: jianglai <jianglai@google.com>
Date: Mon, 16 Apr 2018 09:13:08 -0700
Subject: [PATCH] Add instruction on how to set "App Engine Admin" permission

The proxy service account needs a role that is considered "App Engine Admin" for OAuth to work.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=193049418
---
 docs/proxy-setup.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/proxy-setup.md b/docs/proxy-setup.md
index 3f6af8f1b..b3424d591 100644
--- a/docs/proxy-setup.md
+++ b/docs/proxy-setup.md
@@ -145,6 +145,15 @@ oAuth:
     - <client_id>
 ```
 
+This service account also needs to be an ["App Engine Admin"](https://github.com/google/nomulus/blob/3dfd141e0fed650b5eb2631b4345220355221b77/java/google/registry/request/auth/UserAuthInfo.java#L31),
+which means it needs to granted a role like "Project Viewer":
+
+```bash
+$ gcloud add-iam-binding <nomulus-project> \
+ --member=serviceAccount:<service-account-email> \
+ --role=roles/viewer
+ ```
+
 ### Setup nameservers
 
 The terraform output (run `terraform output` in the environment folder to show