Design SystemAcademyFeedback

Google Cloud

Compute Engine API

For access to the Compute Engine API, it has to be enabled at the Google APIs console.

User Roles

The user for the Google Service Account that has to be created has to have three roles:

  • Compute Admin: roles/compute.admin

  • Service Account User: roles/iam.serviceAccountUser

  • Viewer: roles/viewer

Once the gcloud CLI is installed create a service account following the steps below:

# create new service account
gcloud iam service-accounts create k8c-cluster-provisioner

# get your service account id
gcloud iam service-accounts list
# get your project id
gcloud projects list

# create policy binding
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID --member 'serviceAccount:YOUR_SERVICE_ACCOUNT_ID' --role='roles/compute.admin'
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID --member 'serviceAccount:YOUR_SERVICE_ACCOUNT_ID' --role='roles/iam.serviceAccountUser' 
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID --member 'serviceAccount:YOUR_SERVICE_ACCOUNT_ID' --role='roles/viewer'

Google Service Account

A Google Service Account for the platform should be created. Refer to Creating and managing service accounts. The result is a JSON file containing the fields

  • type

  • project_id

  • private_key_id

  • private_key

  • client_email

  • client_id

  • auth_uri

  • token_uri

  • auth_provider_x509_cert_url

  • client_x509_cert_url

The private key is BASE64 containing the newlines as non-escaped strings "\nā€. So to avoid the resulting troubles the machine controller expects the full service account encoded in BASE64.

# create a new json key for your service account
gcloud iam service-accounts keys create --iam-account YOUR_SERVICE_ACCOUNT k8c-cluster-provisioner-sa-key.json
# create base64 encoded secret
base64 -w 0 ./k8c-cluster-provisioner-sa-key.json

Passing the Google Service Account

The base64 encoded secret of the service account will be passed in the field serviceAccount of the cloudProviderSpec of the machine deployment. The encoded secret can be entered in the UI field Service Account.

full-service

PreviousSupported CloudsNextAzure

Last updated

All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.