Create a service account (quickstart)

This document shows how to create a service account for accessing GKE Enterprise components.

The instructions here are part of a quickstart. For full instructions on using service accounts with Google Distributed Cloud, see Service accounts and keys.

Before you begin

Create a Google Cloud project (quickstart).

Create a component access service account

Google Distributed Cloud uses a service account to download GKE Enterprise components, on your behalf, from Container Registry. This account is called the component access service account.

This quickstart uses a single Google Cloud project. Your component access service account will be a child of that Google Cloud project and will be granted roles on that same Google Cloud project.

To create a component access service account:

gcloud iam service-accounts create component-access-sa \
    --display-name "Component Access Service Account" \
    --project PROJECT_ID

Replace PROJECT_ID with the ID of your Google Cloud project.

To create a JSON key for your component access service account:

gcloud iam service-accounts keys create component-access-key.json \
   --iam-account component-access-sa@[PROJECT_ID].iam.gserviceaccount.com

Granting roles to your component access service account

Your component access service account must be granted the following IAM roles on your Google Cloud project. These roles are required so that Google Distributed Cloud can do preflight checks:

  • serviceusage.serviceUsageViewer
  • iam.serviceAccountCreator
  • iam.roleViewer

To grant roles:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member "serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com" \
    --role "roles/serviceusage.serviceUsageViewer"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member "serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com" \
    --role "roles/iam.serviceAccountCreator"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member "serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com" \
    --role "roles/iam.roleViewer"

What's next

Create an admin workstation (quickstart)