LoginSignup
5
3

More than 3 years have passed since last update.

@Yarimizu14inABEJA, Inc.

GKE上のPodにGCPの認証情報を設定する

Posted at

GKEで動かすPodにGCPの認証情報を渡す手順を何度もやっているので手順をまとめておく。

ServiceAccountを作成する 

$ gcloud iam service-accounts create example-sa \
         --display-name "this is example"

カスタムロールを定義する

title: example-role
description: example role
stage: ALPHA
includedPermissions:
- storage.objects.create
- storage.objects.delete
- storage.objects.get
- storage.objects.getIamPolicy
- storage.objects.list
- storage.objects.setIamPolicy
- storage.objects.update

$ gcloud iam roles create example_role \
       --project [PROJECT_ID] 
       --file custom-role.yaml

カスタムロールにServiceAccountを紐付ける

$ gcloud projects add-iam-policy-binding [PROJECT_ID] \
         --member=serviceAccount:example-sa@[PROJECT_ID].iam.gserviceaccount.com \
         --role=projects/[PROJECT_ID]/roles/example_role
  • ロールの紐付けを確認する
$ gcloud projects get-iam-policy [PROJECT_ID] \
         --flatten="bindings[].members" \
         --format='table(bindings.role)' \
         --filter="bindings.members:example-sa@[PROJECT_ID].iam.gserviceaccount.com"

ServiceAccountの鍵を作成する

$ gcloud iam service-accounts keys create gcp_credentials.json \
         --iam-account example-sa@[PROJECT_ID].iam.gserviceaccount.com

鍵をSecretsとして登録する

$ kubectl create secret generic example-sa-cred \
          --from-file=gcp_credentials.json=./gcp_credentials.json

Podをデプロイする

Secretに登録した鍵をマウントし、 GOOGLE_APPLICATION_CREDENTIALS にパスを設定します

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  labels:
    app: my-app
spec:
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: my-app
          image: gcr.io/[PROJECT_ID]/my-contailer
          env:
            - name: GOOGLE_APPLICATION_CREDENTIALS
              value: /var/secrets/google/gcp_credentials.json
          volumeMounts:
            - name: example-sa-cred
              mountPath: /var/secrets/google
      volumes:
        - name: example-sa-cred
          secret:
            secretName: example-sa-cred

$ kubectl apply -f myapp.yaml

References

Creating and managing custom roles

5
3
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
5
3