Create Cloud Identity on Google Cloud¶
This guide will walk you through creating a Workload Identity on Google Cloud and grant it permissions to access Rok buckets on Google Cloud Storage.
See also
- Workload Identities on official Google Docs.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing GKE cluster.
- Permissions to create workload identities.
Procedure¶
Select the name of the Google service account for Rok to use:
root@rok-tools:~# export GCP_SERVICE_ACCOUNT=rok-${GKE_CLUSTER?}Create the Google service account:
root@rok-tools:~# gcloud iam service-accounts create \ > --display-name ${GCP_SERVICE_ACCOUNT?} \ > ${GCP_SERVICE_ACCOUNT?}Retrieve the email of the service account:
root@rok-tools:~# export GCP_SERVICE_ACCOUNT_EMAIL=$(\ > gcloud iam service-accounts list \ > --format "value(email)" \ > --filter "displayName:${GCP_SERVICE_ACCOUNT?}")Select the namespace in which to deploy Rok:
root@rok-tools:~# export ROK_CLUSTER_NAMESPACE=rokSelect the name of the Rok cluster:
root@rok-tools:~# export ROK_CLUSTER_NAME=rokSelect the bucket prefix Rok will use to store its snapshots in Google Cloud Storage:
root@rok-tools:~# export BUCKET_PREFIX=rok-${PROJECT_ID?}-${ZONE?}-${GKE_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}Remove the Rok cluster namespace and name if they are both equal to
rok
:root@rok-tools:~# export BUCKET_PREFIX=${BUCKET_PREFIX%-rok-rok}Verify that the bucket prefix you specified is not more than 52 characters long:
root@rok-tools:~# [[ ${#BUCKET_PREFIX} -le 52 ]] && echo OK || echo FAIL OKTroubleshooting
The output of the command is FAIL
Go back to step 6 and specify a shorter bucket prefix.
Select the title for the condition that restricts access to Rok buckets:
root@rok-tools:~# export TITLE="Only allow access to Rok buckets"Define the expression for the condition to restrict access to Rok buckets:
root@rok-tools:~# export EXPRESSION="resource.name.startsWith(\"projects/_/buckets/${BUCKET_PREFIX?}\")"Allow the Google service account to access buckets used by Rok in your project on Google Cloud Storage:
root@rok-tools:~# gcloud projects add-iam-policy-binding \ > --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL?} \ > --role roles/storage.admin \ > --condition "title=${TITLE?},expression=${EXPRESSION?}" \ > ${PROJECT_ID?}Enable Rok’s Kubernetes service account to use the Google service account:
root@rok-tools:~# gcloud iam service-accounts \ > add-iam-policy-binding \ > --role roles/iam.workloadIdentityUser \ > --member "serviceAccount:${PROJECT_ID?}.svc.id.goog[${ROK_CLUSTER_NAMESPACE?}/${ROK_CLUSTER_NAME?}]" \ > ${GCP_SERVICE_ACCOUNT_EMAIL?}
Verify¶
Verify that your bucket prefix is not more than 52 characters long:
root@rok-tools:~# [[ ${#BUCKET_PREFIX} -le 52 ]] && echo OK || echo FAIL OKTroubleshooting
The output of the command is FAIL
If the output of the above command is
FAIL
, it means that the bucket prefix you specified is not short enough for the buckets that Rok will create.To proceed, run the following steps:
Delete the Google service account you created for Rok:
root@rok-tools:~# gcloud iam service-accounts \ > delete ${GCP_SERVICE_ACCOUNT_EMAIL?} You are about to delete service account [rok-arrikto-cluster@myproject.iam.gserviceaccount.com]. Do you want to continue (Y/n)? Y deleted service account [rok-arrikto-cluster@myproject.iam.gserviceaccount.com]Run the Procedure and select a shorter bucket prefix.
Ensure that Rok’s Kubernetes service account can use the Google service account by verifying that the
iam.workloadIdentityUser
role is assigned to the service account with the same namespace and name as Rok:root@rok-tools:~# gcloud iam service-accounts \ > get-iam-policy ${GCP_SERVICE_ACCOUNT_EMAIL?} bindings: - members: - serviceAccount:myproject.svc.id.goog[rok/rok] role: roles/iam.workloadIdentityUser etag: BwXDFvKhrQM= version: 1Ensure that the Google service account can access the buckets used by Rok in your project on Google Cloud Storage by verifying that the
storage.admin
role is assigned and the condition limits access to buckets whose name starts withrok-<PROJECT_ID>-<ZONE>-<GKE_CLUSTER>
:root@rok-tools:~# gcloud projects get-iam-policy ${PROJECT_ID?} \ > --flatten "bindings[].members" \ > --filter "bindings.members:serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL?}" --- bindings: condition: expression: resource.name.startsWith("projects/_/buckets/rok-myproject-us-east1-b-arrikto-cluster") title: Only allow access to Rok buckets members: serviceAccount:rok-arrikto-cluster@myproject.iam.gserviceaccount.com role: roles/storage.admin etag: BwXDowzw1fE= version: 3
Summary¶
You have successfully created the cloud identity Rok will use to gain access to your platform’s object storage service.
What’s Next¶
The next step is to authorize Rok to access the object storage service using the cloud identity you created.