Configuring Kubernetes Service Account to Assume an IAM Role
To deploy the SPE Cloud Connector for GCP, you need to configure a Kubernetes service account to assume a GCP Identity and Access Management (IAM) role. Any Pods that are configured to use the service account can then access the required GCP services that the role has permissions to access.
To set the permission and enable the workload identity for Kubernetes service account
- Download the script.
- Open the Cloud Shell or use command line for cloud.
- Set the value for gcpconfig.json and assets.csv and place inside the script folder.
- Edit the script to set the following variables in the script:#Replace below variables, these will be created by script if does not exist #kubernetes namespace and KSA is kubernetes service account, sa stands for service account $env:K8S_NAMESPACE = "default" $env:KSA_NAME = "spe-gcp-kubernetes-sa-name" #Enter GSA : Google Service Account Name $env:GSA_NAME = "spe-gcp-sa-name" #Replave below variables, all should pre-exist $env:PROJECT_ID = "project-id" $env:CLUSTER_NAME = "gke-cluster-name" $env:ZONE = "us-west1" $env:CLUSTER_POOL_NAME = "default-pool" #Configure assets.csv and gcpconfig.json, before excuting this script $env:assetFile = "assets.csv" $env:gcpConfigFile = "gcpconfig.json"
- Execute the script to create the service account and set the role.