Create Cloud Identity on Google Cloud

This guide will walk you through creating a Workload Identity on Google Cloud and grant it permissions to access Rok buckets on Google Cloud Storage.

See also

What You’ll Need

Procedure

  1. Select the name of the Google service account for Rok to use:

    root@rok-tools:~# export GCP_SERVICE_ACCOUNT=rok-${GKE_CLUSTER?}
  2. Create the Google service account:

    root@rok-tools:~# gcloud iam service-accounts create \ > --display-name ${GCP_SERVICE_ACCOUNT?} \ > ${GCP_SERVICE_ACCOUNT?}
  3. Retrieve the email of the service account:

    root@rok-tools:~# export GCP_SERVICE_ACCOUNT_EMAIL=$(\ > gcloud iam service-accounts list \ > --format "value(email)" \ > --filter "displayName:${GCP_SERVICE_ACCOUNT?}")
  4. Select the namespace in which to deploy Rok:

    root@rok-tools:~# export ROK_CLUSTER_NAMESPACE=rok
  5. Select the name of the Rok cluster:

    root@rok-tools:~# export ROK_CLUSTER_NAME=rok
  6. Select the bucket prefix Rok will use to store its snapshots in Google Cloud Storage:

    root@rok-tools:~# export BUCKET_PREFIX=rok-${PROJECT_ID?}-${ZONE?}-${GKE_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}
  7. Remove the Rok cluster namespace and name if they are both equal to rok:

    root@rok-tools:~# export BUCKET_PREFIX=${BUCKET_PREFIX%-rok-rok}
  8. Verify that the bucket prefix you specified is not more than 52 characters long:

    root@rok-tools:~# [[ ${#BUCKET_PREFIX} -le 52 ]] && echo OK || echo FAIL OK

    Troubleshooting

    The output of the command is FAIL

    Go back to step 6 and specify a shorter bucket prefix.

  9. Select the title for the condition that restricts access to Rok buckets:

    root@rok-tools:~# export TITLE="Only allow access to Rok buckets"
  10. Define the expression for the condition to restrict access to Rok buckets:

    root@rok-tools:~# export EXPRESSION="resource.name.startsWith(\"projects/_/buckets/${BUCKET_PREFIX?}\")"
  11. Allow the Google service account to access buckets used by Rok in your project on Google Cloud Storage:

    root@rok-tools:~# gcloud projects add-iam-policy-binding \ > --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL?} \ > --role roles/storage.admin \ > --condition "title=${TITLE?},expression=${EXPRESSION?}" \ > ${PROJECT_ID?}
  12. Enable Rok’s Kubernetes service account to use the Google service account:

    root@rok-tools:~# gcloud iam service-accounts \ > add-iam-policy-binding \ > --role roles/iam.workloadIdentityUser \ > --member "serviceAccount:${PROJECT_ID?}.svc.id.goog[${ROK_CLUSTER_NAMESPACE?}/${ROK_CLUSTER_NAME?}]" \ > ${GCP_SERVICE_ACCOUNT_EMAIL?}

Verify

  1. Verify that your bucket prefix is not more than 52 characters long:

    root@rok-tools:~# [[ ${#BUCKET_PREFIX} -le 52 ]] && echo OK || echo FAIL OK

    Troubleshooting

    The output of the command is FAIL

    If the output of the above command is FAIL, it means that the bucket prefix you specified is not short enough for the buckets that Rok will create.

    To proceed, run the following steps:

    1. Delete the Google service account you created for Rok:

      root@rok-tools:~# gcloud iam service-accounts \ > delete ${GCP_SERVICE_ACCOUNT_EMAIL?} You are about to delete service account [rok-arrikto-cluster@myproject.iam.gserviceaccount.com]. Do you want to continue (Y/n)? Y deleted service account [rok-arrikto-cluster@myproject.iam.gserviceaccount.com]
    2. Run the Procedure and select a shorter bucket prefix.

  2. Ensure that Rok’s Kubernetes service account can use the Google service account by verifying that the iam.workloadIdentityUser role is assigned to the service account with the same namespace and name as Rok:

    root@rok-tools:~# gcloud iam service-accounts \ > get-iam-policy ${GCP_SERVICE_ACCOUNT_EMAIL?} bindings: - members: - serviceAccount:myproject.svc.id.goog[rok/rok] role: roles/iam.workloadIdentityUser etag: BwXDFvKhrQM= version: 1
  3. Ensure that the Google service account can access the buckets used by Rok in your project on Google Cloud Storage by verifying that the storage.admin role is assigned and the condition limits access to buckets whose name starts with rok-<PROJECT_ID>-<ZONE>-<GKE_CLUSTER>:

    root@rok-tools:~# gcloud projects get-iam-policy ${PROJECT_ID?} \ > --flatten "bindings[].members" \ > --filter "bindings.members:serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL?}" --- bindings: condition: expression: resource.name.startsWith("projects/_/buckets/rok-myproject-us-east1-b-arrikto-cluster") title: Only allow access to Rok buckets members: serviceAccount:rok-arrikto-cluster@myproject.iam.gserviceaccount.com role: roles/storage.admin etag: BwXDowzw1fE= version: 3

Summary

You have successfully created the cloud identity Rok will use to gain access to your platform’s object storage service.

What’s Next

The next step is to authorize Rok to access the object storage service using the cloud identity you created.