Create Cloud Identity on Google Cloud

This guide will walk you through creating a Workload Identity on Google Cloud and grant it permissions to access Rok buckets on Google Cloud Storage.

See also

What You'll Need

Procedure

  1. Select the name of the Google service account for Rok to use:

    root@rok-tools:~# export GCP_SERVICE_ACCOUNT=rok-${GKE_CLUSTER?}
    
  2. Create the Google service account:

    root@rok-tools:~# gcloud iam service-accounts create \
    >   --display-name ${GCP_SERVICE_ACCOUNT?} \
    >   ${GCP_SERVICE_ACCOUNT?}
    
  3. Retrieve the email of the service account:

    root@rok-tools:~# export GCP_SERVICE_ACCOUNT_EMAIL=$(\
    >   gcloud iam service-accounts list \
    >   --format "value(email)" \
    >   --filter "displayName:${GCP_SERVICE_ACCOUNT?}")
    
  4. Select the namespace in which to deploy Rok:

    root@rok-tools:~# export ROK_CLUSTER_NAMESPACE=rok
    
  5. Select the name of the Rok cluster:

    root@rok-tools:~# export ROK_CLUSTER_NAME=rok
    
  6. Select the bucket prefix Rok will use to store its snapshots in Google Cloud Storage:

    root@rok-tools:~# export BUCKET_PREFIX=rok-${PROJECT_ID?}-${ZONE?}-${GKE_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}
    
  7. Remove the Rok cluster namespace and name if they are both equal to rok:

    root@rok-tools:~# export BUCKET_PREFIX=${BUCKET_PREFIX%-rok-rok}
    
  8. Select the title for the condition that restricts access to Rok buckets:

    root@rok-tools:~# export TITLE="Only allow access to Rok buckets"
    
  9. Define the expression for the condition to restrict access to Rok buckets:

    root@rok-tools:~# export EXPRESSION="resource.name.startsWith(\"projects/_/buckets/${BUCKET_PREFIX?}\")"
    
  10. Allow the Google service account to access buckets used by Rok in your project on Google Cloud Storage:

    root@rok-tools:~# gcloud projects add-iam-policy-binding \
    >   --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL?} \
    >   --role roles/storage.admin \
    >   --condition "title=${TITLE?},expression=${EXPRESSION?}" \
    >   ${PROJECT_ID?}
    
  11. Enable Rok's Kubernetes service account to use the Google service account:

    root@rok-tools:~# gcloud iam service-accounts \
    >   add-iam-policy-binding \
    >   --role roles/iam.workloadIdentityUser \
    >   --member "serviceAccount:${PROJECT_ID?}.svc.id.goog[${ROK_CLUSTER_NAMESPACE?}/${ROK_CLUSTER_NAME?}]" \
    >   ${GCP_SERVICE_ACCOUNT_EMAIL?}
    

Verify

  1. Ensure that Rok's Kubernetes service account can use the Google service account by verifying that the iam.workloadIdentityUser role is assigned to the service account with the same namespace and name as Rok:

    root@rok-tools:~# gcloud iam service-accounts \
    >   get-iam-policy ${GCP_SERVICE_ACCOUNT_EMAIL?}
    bindings:
    - members:
      - serviceAccount:myproject.svc.id.goog[rok/rok]
      role: roles/iam.workloadIdentityUser
    etag: BwXDFvKhrQM=
    version: 1
    
  2. Ensure that the Google service account can access the buckets used by Rok in your project on Google Cloud Storage by verifying that the storage.admin role is assigned and the condition limits access to buckets whose name starts with rok-<PROJECT_ID>-<ZONE>-<GKE_CLUSTER>:

    root@rok-tools:~# gcloud projects get-iam-policy ${PROJECT_ID?} \
    >   --flatten "bindings[].members" \
    >   --filter "bindings.members:serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL?}"
    ---
    bindings:
      condition:
        expression: resource.name.startsWith("projects/_/buckets/rok-myproject-us-east1-b-arrikto-cluster")
        title: Only allow access to Rok buckets
      members:
    serviceAccount:rok-arrikto-cluster@myproject.iam.gserviceaccount.com
      role: roles/storage.admin
    etag: BwXDowzw1fE=
    version: 3
    

Summary

You have successfully created the cloud identity Rok will use to gain access to your platform's object storage service.

What's Next

The next step is to authorize Rok to access the object storage service using the cloud identity you created.