This page shows how to create the Google Cloud service accounts and keys that you need to install GKE on-prem.
SSH into your admin workstation
SSH into your admin workstation:
ssh -i ~/.ssh/vsphere_workstation ubuntu@[IP_ADDRESS]
where [IP_ADDRESS] is the IP address of your admin workstation.
Do all of the remaining steps in this topic on your admin workstation.
Logging in
Log in to Google Cloud using your account credentials:
gcloud auth login
Overview of service accounts
Before you install GKE on-prem, you need to create four service accounts in your Google Cloud project. You also need to create a JSON key for each service account. These are the service accounts you need:
- Allowlisted service account
- Connect service account
- Register service account
- Google Cloud Observability service account
List your service accounts:
gcloud iam service-accounts list
The output shows the email addresses of your service accounts:
whitelisted-service-account@my-gcp-project.iam.gserviceaccount.com some-other-service-account@my-gcp-project.iam.gserviceaccount.com ...
Take note of each account's email address.
Allowlisted service account
You already have a allowlisted service account.
Create a key for your allowlisted service account:
gcloud iam service-accounts keys create whitelisted-key.json \ --iam-account [ALLOWLISTED_SERVICE_ACCOUNT_EMAIL]
where [ALLOWLISTED_SERVICE_ACCOUNT_EMAIL] is the email address of your allowlisted service account.
Connect service account
Connect uses this service account to maintain a connection between GKE on-prem and Google Cloud.
Create your Connect service account:
gcloud iam service-accounts create connect-service-account
Create a key for your Connect service account:
gcloud iam service-accounts keys create connect-key.json \ --iam-account [Connect_SERVICE_ACCOUNT_EMAIL]
where [Connect_SERVICE_ACCOUNT_EMAIL] is the email address of your Connect service account.
Register service account
Connect uses this service account to register your GKE on-prem clusters with Google Cloud console.
Create your register service account:
gcloud iam service-accounts create register-service-account
Create a key for your register service account:
gcloud iam service-accounts keys create register-key.json \ --iam-account [REGISTER_SERVICE_ACCOUNT_EMAIL]
where [REGISTER_SERVICE_ACCOUNT_EMAIL] is the email address of your register service account.
Google Cloud Observability service account
Connect uses this service account to export cluster logs from clusters to Stackdriver by way of your GCP project.
Create your Google Cloud Observability service account:
gcloud iam service-accounts create stackdriver-service-account
Create a key for your Google Cloud Observability service account:
gcloud iam service-accounts keys create stackdriver-key.json \ --iam-account [Google Cloud Observability_SERVICE_ACCOUNT_EMAIL]
where [Google Cloud Observability_SERVICE_ACCOUNT_EMAIL] is the email address of your Google Cloud Observability service account.
At this point, you have created four service accounts in your Google Cloud project, and you have a JSON key for each service account on your admin workstation.
Assigning Identity and Access Management roles to your service accounts
Each of your service accounts needs to have certain IAM roles. It is a good practice to grant each service account the minimum set of roles that it needs.
First, list the service accounts in your Google Cloud project:
gcloud iam service-accounts list
The output shows the email addresses of your service accounts:
whitelisted-service-account@my-gcp-project.iam.gserviceaccount.com register-service-account@my-gcp-project.iam.gserviceaccount.com connect-service-account@my-gcp-project.iam.gserviceaccount.com stackdriver-service-account@my-gcp-project.iam.gserviceaccount.com
Take note of each account's email address. For each of the following sections, you provide the relevant account's email address.
Register service account
Grant the gkehub.admin and serviceuseage.serviceUsageViewer roles to your
register service account:
gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member "serviceAccount:[REGISTER_SERVICE_ACCOUNT_EMAIL]" \ --role "roles/gkehub.admin"
gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member "serviceAccount:[REGISTER_SERVICE_ACCOUNT_EMAIL]" \ --role "roles/serviceusage.serviceUsageViewer"
Connect service account
Grant the gkehub.connect role to your Connect service account:
gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member "serviceAccount:[Connect_SERVICE_ACCOUNT_EMAIL]" \ --role "roles/gkehub.connect"
Google Cloud Observability service account
Grant the stackdriver.resourceMetadata.writer, logging.logWriter, and
monitoring.metricWriter roles to your Google Cloud Observability service account:
gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member "serviceAccount:[Google Cloud Observability_SERVICE_ACCOUNT_EMAIL]" \ --role "roles/stackdriver.resourceMetadata.writer"
gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member "serviceAccount:[Google Cloud Observability_SERVICE_ACCOUNT_EMAIL]" \ --role "roles/logging.logWriter"
gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member "serviceAccount:[Google Cloud Observability_SERVICE_ACCOUNT_EMAIL]" \ --role "roles/monitoring.metricWriter"