Google Service Account
Service Accounts
You can automatically create the Google Service Account associated with the GKE Workload Identity.
Here’s a Kubes hook that creates a service account:
.kubes/config/hooks/kubes.rb
service_account = KubesGoogle::ServiceAccount.new(
app: "demo",
namespace: "demo-#{Kubes.env}", # defaults to APP-ENV when not set. IE: demo-dev
roles: ["cloudsql.client", "secretmanager.viewer"], # defaults to empty when not set
)
before("apply",
label: "create service account",
execute: service_account,
)
The corresponding Kubernetes Service account looks like this:
.kubes/resources/shared/service_account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
iam.gke.io/gcp-service-account: demo-<%= Kubes.env %>@<%= ENV['GOOGLE_PROJECT'] %>.iam.gserviceaccount.com
name: demo
labels:
app: demo
The role permissions are currently always added to the existing permissions. So removing roles that were previously added does not remove them.
Variables
ServiceAccount#initialize options:
| Variable | Description | Default |
|---|---|---|
| app | The app name. It’s used to set other variables conventionally. This is required. | nil |
| gsa | The Google Service Account name. The conventional name is APP-ENV. IE: demo-dev. | APP-ENV |
| ksa | The Kubernetes Service Account name. The conventional name is APP. IE: demo | APP |
| namespace | The Kubernetes namespace. Defaults to the APP-ENV. IE: demo-dev. | APP-ENV |
| roles | Google IAM roles to add. This adds permissions to the Google service account. | [] |
Relevant environment variables:
| Name | Description |
|---|---|
| GOOGLE_PROJECT | Google project id. This is required as it’s used to build the full service account name. |