Create a Service Account for deployment with impersonation

This page describes an optional step to create a Service Account for deployment with impersonation of the Cortex Data Foundation.

The deployment can run through a service account with impersonation rights, by adding the flag --impersonate-service-account. This service account triggers a Cloud Build job that in turn runs specific steps through the Cloud Build service account. This lets you trigger a deployment process without direct access to the resources.

Create the impersonation rights and assign them through Google Cloud CLI or Google Cloud console with the following instructions.

Console

For creating a new Service account follow these steps:

  1. Go the Service accounts page.

    Service accounts

  2. Grant this Service Account access to the project.

  3. Grant users access to this Service Account.

    1. Add the ID of all users (including your own) who can run the deployment through the impersonated service account.
    2. Assign the Service Account Token Creator role. For more information about this role, see Service account roles.

If you already have a service account, follow these steps:

  1. Go to Service accounts.
  2. Click the Service account.
  3. Click the Permissions tab.
  4. Click Grant Access.
    1. Add the ID of all users (including your own) who can run the deployment through the impersonated service account.
    2. Assign the Service Account Token Creator role.

gcloud

  1. Create an impersonate Service account through an IAM policy with the following command:

    gcloud iam service-accounts create SERVICE_ACCOUNT \
    --description="Service account for Cortex Framework deployment" \
    --display-name="my-cortex-service-account"

  2. Add the IAM policy to your Google Cloud Project with the following command:

    gcloud projects add-iam-policy-binding SOURCE_PROJECT \
--member="serviceAccount:SERVICE_ACCOUNT@SOURCE_PROJECT.iam.gserviceaccount.com" \
--role="roles/cloudbuild.builds.editor"

  3. Add the ID of all users (including your own) who can run the deployment through the impersonated service account, and assign them the Service Account Token Creator role with the following command:

      gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT\
  --member="user:USER_EMAIL" \
  --role="roles/iam.serviceAccountTokenCreator"

    Replace the following:

    • SERVICE_ACCOUNT with the service account for Cortex Framework deployment.
    • SOURCE_PROJECT with the source project for Cortex Framework deployment.
    • USER_EMAIL with the executing user email.