Skip to content

Latest commit

 

History

History
 
 

service-account

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
templates
templates
 
 
Chart.yaml
Chart.yaml
 
 
README.md
README.md
 
 
values.yaml
values.yaml
 
 

README.md

Service Account

==================================================

NAME

service account

SYNOPSIS

Config Connector compatible YAML files to create a service account in your desired project, and grant a specific member a role (default to roles/iam.serviceAccountKeyAdmin) for accessing the service account that just created.

CONSUMPTION

  1. Clone GoogleCloudPlatform/cloud-foundation-toolkit repository:

    git clone https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit.git

  2. Go to the service account folder:

    cd cloud-foundation-toolkit/config-connector/solutions/iam/helm/service-account

REQUIREMENTS

  1. GKE Cluster with Config Connector and Workload Identity.
  2. Helm

USAGE

All steps are run from the current directory (config-connector/solutions/iam/helm/service-account).

  1. Review and update the values in ./values.yaml.

  2. Validate and install the sample with Helm.

    # validate your chart
helm lint . --set iamPolicyMember.iamMember=user:name@example.com

# check the output of your chart
helm template . --set iamPolicyMember.iamMember=user:name@example.com

# Do a dryrun on your chart and address issues if there are any
helm install . --dry-run --set iamPolicyMember.iamMember=user:name@example.com --generate-name

# install your chart
helm install . --set iamPolicyMember.iamMember=user:name@example.com --generate-name

  3. Optionaly, you can customize optional values by explictly setting them when installing the solution:

    # install your chart with a new service account name
helm install . --set serviceAccount.name=new-service-account,iamPolicyMember.iamMember=user:name@example.com --generate-name

    Or,

    # install your chart with a new role
helm install . --set iamPolicyMember.role=roles/iam.serviceAccountTokenCreator,iamPolicyMember.iamMember=user:name@example.com --generate-name

    Or set them both in one command.

  4. Check the created helm release to verify the installation:

    helm list

    Check the status of the service account resource by running:

    kubectl describe iamserviceaccount [service account name]

    Check the status of the IAM Policy Member:

    kubectl describe iampolicymember iampolicymember-service-account

  5. Clean up the installation:

    # list Helm releases to obtain release name
helm list

# delete release specifying release name from the previous command output.
helm delete [release_name]

LICENSE

Apache 2.0 - See LICENSE for more information.