This document shows how to create a service account for accessing GKE Enterprise components.
The instructions here are part of a quickstart. For full instructions on using service accounts with Google Distributed Cloud, see Service accounts and keys.
Before you begin
Create a Google Cloud project (quickstart).
Create a component access service account
Google Distributed Cloud uses a service account to download GKE Enterprise components, on your behalf, from Container Registry. This account is called the component access service account.
This sequence of quickstart topics uses a single Google Cloud project. You established which Google Cloud project to use in the preceding quickstart topic: Google Cloud project (quickstart).
Your component access service account will be a child of that same Google Cloud project and will be granted roles on that Google Cloud project.
To create a component access service account:
gcloud iam service-accounts create component-access-sa \
--display-name "Component Access Service Account" \
--project PROJECT_ID
Replace PROJECT_ID with the ID of your Google Cloud project.
To create a JSON key for your component access service account:
gcloud iam service-accounts keys create component-access-key.json \ --iam-account component-access-sa@[PROJECT_ID].iam.gserviceaccount.com
Granting roles to your component access service account
Your component access service account must be granted the following IAM roles on your Google Cloud project. These roles are required so that Google Distributed Cloud can do preflight checks:
- serviceusage.serviceUsageViewer
- iam.roleViewer
- iam.serviceAccountViewer
To grant roles:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member "serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com" \
--role "roles/serviceusage.serviceUsageViewer"
gcloud projects add-iam-policy-binding PROJECT_ID \
--member "serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com" \
--role "roles/iam.roleViewer"
gcloud projects add-iam-policy-binding PROJECT_ID \
--member "serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com" \
--role "roles/iam.serviceAccountViewer"
What's next
Create an admin workstation (quickstart)