GKEで動かすPodにGCPの認証情報を渡す手順を何度もやっているので手順をまとめておく。
ServiceAccountを作成する
$ gcloud iam service-accounts create example-sa \
--display-name "this is example"
カスタムロールを定義する
title: example-role
description: example role
stage: ALPHA
includedPermissions:
- storage.objects.create
- storage.objects.delete
- storage.objects.get
- storage.objects.getIamPolicy
- storage.objects.list
- storage.objects.setIamPolicy
- storage.objects.update
$ gcloud iam roles create example_role \
--project [PROJECT_ID]
--file custom-role.yaml
カスタムロールにServiceAccountを紐付ける
$ gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member=serviceAccount:example-sa@[PROJECT_ID].iam.gserviceaccount.com \
--role=projects/[PROJECT_ID]/roles/example_role
- ロールの紐付けを確認する
$ gcloud projects get-iam-policy [PROJECT_ID] \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:example-sa@[PROJECT_ID].iam.gserviceaccount.com"
ServiceAccountの鍵を作成する
$ gcloud iam service-accounts keys create gcp_credentials.json \
--iam-account example-sa@[PROJECT_ID].iam.gserviceaccount.com
鍵をSecretsとして登録する
$ kubectl create secret generic example-sa-cred \
--from-file=gcp_credentials.json=./gcp_credentials.json
Podをデプロイする
Secretに登録した鍵をマウントし、 GOOGLE_APPLICATION_CREDENTIALS
にパスを設定します
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
labels:
app: my-app
spec:
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-app
image: gcr.io/[PROJECT_ID]/my-contailer
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/gcp_credentials.json
volumeMounts:
- name: example-sa-cred
mountPath: /var/secrets/google
volumes:
- name: example-sa-cred
secret:
secretName: example-sa-cred
$ kubectl apply -f myapp.yaml