Help us understand the problem. What is going on with this article?

GKE上のPodにGCPの認証情報を設定する

More than 1 year has passed since last update.

GKEで動かすPodにGCPの認証情報を渡す手順を何度もやっているので手順をまとめておく。

ServiceAccountを作成する 

$ gcloud iam service-accounts create example-sa \
         --display-name "this is example"

カスタムロールを定義する

title: example-role
description: example role
stage: ALPHA
includedPermissions:
- storage.objects.create
- storage.objects.delete
- storage.objects.get
- storage.objects.getIamPolicy
- storage.objects.list
- storage.objects.setIamPolicy
- storage.objects.update
$ gcloud iam roles create example_role \
       --project [PROJECT_ID] 
       --file custom-role.yaml

カスタムロールにServiceAccountを紐付ける

$ gcloud projects add-iam-policy-binding [PROJECT_ID] \
         --member=serviceAccount:example-sa@[PROJECT_ID].iam.gserviceaccount.com \
         --role=projects/[PROJECT_ID]/roles/example_role
  • ロールの紐付けを確認する
$ gcloud projects get-iam-policy [PROJECT_ID] \
         --flatten="bindings[].members" \
         --format='table(bindings.role)' \
         --filter="bindings.members:example-sa@[PROJECT_ID].iam.gserviceaccount.com"

ServiceAccountの鍵を作成する

$ gcloud iam service-accounts keys create gcp_credentials.json \
         --iam-account example-sa@[PROJECT_ID].iam.gserviceaccount.com

鍵をSecretsとして登録する

$ kubectl create secret generic example-sa-cred \
          --from-file=gcp_credentials.json=./gcp_credentials.json

Podをデプロイする

Secretに登録した鍵をマウントし、 GOOGLE_APPLICATION_CREDENTIALS にパスを設定します

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  labels:
    app: my-app
spec:
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: my-app
          image: gcr.io/[PROJECT_ID]/my-contailer
          env:
            - name: GOOGLE_APPLICATION_CREDENTIALS
              value: /var/secrets/google/gcp_credentials.json
          volumeMounts:
            - name: example-sa-cred
              mountPath: /var/secrets/google
      volumes:
        - name: example-sa-cred
          secret:
            secretName: example-sa-cred
$ kubectl apply -f myapp.yaml

References

Creating and managing custom roles

Yarimizu14
メモ
abeja
「ディープラーニング」を活用し、多様な業界、シーンにおけるビジネスの効率化・自動化を促進するベンチャー企業です。
https://abejainc.com
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away