RubygemsResearch

Sha256: be2f50e2d5d5e41943b32faac80e57090e7d51f19f94a89f603e39078e7c107f

Contents?: true

Size: 1.85 KB

Versions: 37

Compression:

Stored size: 1.85 KB

---
title: Google Service Account
nav_text: Service Account
categories: helpers-google
---

## Service Accounts

You can automatically create the Google Service Account associated with the [GKE Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity).

Here's a Kubes hook that creates a service account:

.kubes/config/hooks/kubes.rb

```ruby
service_account = KubesGoogle::ServiceAccount.new(
  app: "demo",
  namespace: "demo-#{Kubes.env}", # defaults to APP-ENV when not set. IE: demo-dev
  roles: ["cloudsql.client", "secretmanager.viewer"], # defaults to empty when not set
)
before("apply",
  label: "create service account",
  execute: service_account,
)
```

The corresponding Kubernetes Service account looks like this:

.kubes/resources/shared/service_account.yaml

```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    iam.gke.io/gcp-service-account: demo-<%= Kubes.env %>@<%= ENV['GOOGLE_PROJECT'] %>.iam.gserviceaccount.com
  name: demo
  labels:
    app: demo
```

The role permissions are currently always added to the existing permissions. So removing roles that were previously added does not remove them.

## Variables

ServiceAccount#initialize options:

Variable | Description | Default
---|---|---
app | The app name. It's used to set other variables conventionally. This is required. | nil
gsa | The Google Service Account name. The conventional name is APP-ENV. IE: demo-dev. | APP-ENV
ksa | The Kubernetes Service Account name. The conventional name is APP. IE: demo | APP
namespace | The Kubernetes namespace. Defaults to the APP-ENV. IE: demo-dev. | APP-ENV
roles | Google IAM roles to add. This adds permissions to the Google service account. | []

Relevant environment variables:

Name | Description
---|---
GOOGLE_PROJECT | Google project id. This is required as it's used to build the full service account name.

Version data entries

37 entries across 37 versions & 1 rubygems

Version	Path
kubes-0.9.3	docs/_docs/helpers/google/service-account.md
kubes-0.9.2	docs/_docs/helpers/google/service-account.md
kubes-0.9.1	docs/_docs/helpers/google/service-account.md
kubes-0.9.0	docs/_docs/helpers/google/service-account.md
kubes-0.8.10	docs/_docs/helpers/google/service-account.md
kubes-0.8.9	docs/_docs/helpers/google/service-account.md
kubes-0.8.8	docs/_docs/helpers/google/service-account.md
kubes-0.8.7	docs/_docs/helpers/google/service-account.md
kubes-0.8.6	docs/_docs/helpers/google/service-account.md
kubes-0.8.5	docs/_docs/helpers/google/service-account.md
kubes-0.8.4	docs/_docs/helpers/google/service-account.md
kubes-0.8.3	docs/_docs/helpers/google/service-account.md
kubes-0.8.2	docs/_docs/helpers/google/service-account.md
kubes-0.8.1	docs/_docs/helpers/google/service-account.md
kubes-0.8.0	docs/_docs/helpers/google/service-account.md
kubes-0.7.10	docs/_docs/helpers/google/service-account.md
kubes-0.7.9	docs/_docs/helpers/google/service-account.md
kubes-0.7.8	docs/_docs/helpers/google/service-account.md
kubes-0.7.7	docs/_docs/helpers/google/service-account.md
kubes-0.7.6	docs/_docs/helpers/google/service-account.md