Search code examples
google-cloud-platformgoogle-kubernetes-enginegoogle-iam

Passing GCP service account key to GKE pods

I have created in TF (0.11.14) a GCP role, attached it to a service account and also created a key for the later as follows:

resource "google_service_account_key" "my_service_account_key" {
  service_account_id = "${google_service_account.my_service_account.id}"
}

I then take the private_key as output in the following way:

output "my_service_account_private_key" {
  value       = "${google_service_account_key.my_service_account_key.private_key}"
  sensitive   = true
}

Which prints me a very long string in the likes of

ewogICJK49fo34KFo4 .... 49k92kljg==

Assuming the role has permissions enabling read/write to a GCS bucket, how can I pass the above credential / private key to a (GKE) pod / deployment, so that the pods are granted the specific service account (and therefore are able to perform what the corresponding permissions allow, as for example reading / writing to a bucket)?

Solution

  • Your main steps are

    1. Create a service account.
    2. Provide necessary roles for your service account to work with GCS bucket.
    3. Save the account key as a Kubernetes Secret.
    4. Use the service account to configure and deploy an application.

    I believe you got steps 1 and 2 covered. I researched for two examples (1, 2) that might be of some assistance for the remaining steps .