openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/pod-short-term-auth-gcp-cluster-sa.adoc
Ben Scott 0ca20e31a1 gcp-first replacement
2025-10-28 14:54:43 -04:00

110 lines
4.2 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * nodes/pods/nodes-pods-short-term-auth.adoc
:_mod-docs-content-type: PROCEDURE
[id="pod-short-term-auth-gcp-cluster-sa_{context}"]
= Creating an {product-title} service account for {gcp-short}
You create an {product-title} service account and annotate it to impersonate a {gcp-short} service account.
.Prerequisites
* Your {gcp-short} cluster uses {gcp-wid-short}.
* You have created a federated {gcp-short} service account.
* You have access to the {oc-first} as a user with the `cluster-admin` role.
* You have access to the {gcp-full} CLI (`gcloud`) as a user with privileges to manage Identity and Access Management (IAM) and workload identity configurations.
.Procedure
. Create an {product-title} service account to use for {gcp-wid-short} pod authentication by running the following command:
+
[source,terminal]
----
$ oc create serviceaccount <service_account_name>
----
. Annotate the service account with the identity provider and {gcp-short} service account to impersonate by running the following command:
+
[source,terminal]
----
$ oc patch serviceaccount <service_account_name> -p '{"metadata": {"annotations": {"cloud.google.com/workload-identity-provider": "projects/<project_number>/locations/global/workloadIdentityPools/<identity_pool>/providers/<identity_provider>"}}}'
----
+
Replace `<project_number>`, `<identity_pool>`, and `<identity_provider>` with the values for your configuration.
+
[NOTE]
====
For `<project_number>`, specify the {gcp-full} project number, not the project ID.
====
. Annotate the service account with the email address for the {gcp-short} service account by running the following command:
+
[source,terminal]
----
$ oc patch serviceaccount <service_account_name> -p '{"metadata": {"annotations": {"cloud.google.com/service-account-email": "<service_account_email>"}}}'
----
+
Replace `<service_account_email>` with the email address for the {gcp-short} service account.
+
[TIP]
====
{gcp-short} service account email addresses typically use the format `<service_account_name>@<project_id>.iam.gserviceaccount.com`
====
. Annotate the service account to use the `direct` external credentials configuration injection mode by running the following command:
+
[source,terminal]
----
$ oc patch serviceaccount <service_account_name> -p '{"metadata": {"annotations": {"cloud.google.com/injection-mode": "direct"}}}'
----
+
In this mode, the Workload Identity Federation webhook controller directly generates the {gcp-short} external credentials configuration and injects them into the pod.
. Use the {gcp-full} CLI (`gcloud`) to specify the permissions for the workload by running the following command:
+
[source,terminal]
----
$ gcloud projects add-iam-policy-binding <project_id> --member "<service_account_email>" --role "projects/<project_id>/roles/<role_for_workload_permissions>"
----
+
Replace `<role_for_workload_permissions>` with the role for the workload.
Specify a role that grants the permissions that your workload requires.
.Verification
* To verify the service account configuration, inspect the `ServiceAccount` manifest by running the following command:
+
[source,terminal]
----
$ oc get serviceaccount <service_account_name>
----
+
In the following example, the `service-a/app-x` {product-title} service account can impersonate a {gcp-short} service account called `app-x`:
+
.Example output
--
[source,yaml]
----
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-x
namespace: service-a
annotations:
cloud.google.com/workload-identity-provider: "projects/<project_number>/locations/global/workloadIdentityPools/<identity_pool>/providers/<identity_provider>" <1>
cloud.google.com/service-account-email: "app-x@project.iam.googleapis.com"
cloud.google.com/audience: "sts.googleapis.com" <2>
cloud.google.com/token-expiration: "86400" <3>
cloud.google.com/gcloud-run-as-user: "1000"
cloud.google.com/injection-mode: "direct" <4>
----
<1> The workload identity provider for the service account of the cluster.
<2> The allowed audience for the workload identity provider.
<3> The token expiration time period in seconds.
<4> The `direct` external credentials configuration injection mode.
--
View Git Blame Copy Permalink