Version 1.10. This version is no longer supported. For more information see the version support policy.

Create a service account (quickstart)

This document shows how to create a service account for accessing GKE Enterprise components.

The instructions here are part of a quickstart. For full instructions on using service accounts with GKE on VMware, see Service accounts and keys.

Before you begin

Create a Google Cloud project (quickstart).

Create a component access service account

GKE on VMware uses a service account to download GKE Enterprise components, on your behalf, from Container Registry. This account is called the component access service account.

This sequence of quickstart topics uses a single Google Cloud project. You established which Google Cloud project to use in the preceding quickstart topic: Google Cloud project (quickstart).

Your component access service account will be a child of that same Google Cloud project and will be granted roles on that Google Cloud project.

To create a component access service account:

gcloud iam service-accounts create component-access-sa \
    --display-name "Component Access Service Account" \
    --project PROJECT_ID

Replace PROJECT_ID with the ID of your Google Cloud project.

To create a JSON key for your component access service account:

gcloud iam service-accounts keys create component-access-key.json \
   --iam-account component-access-sa@[PROJECT_ID].iam.gserviceaccount.com

Granting roles to your component access service account

Your component access service account must be granted the following IAM roles on your Google Cloud project. These roles are required so that GKE on VMware can do preflight checks:

serviceusage.serviceUsageViewer
iam.roleViewer
iam.serviceAccountViewer

To grant roles:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member "serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com" \
    --role "roles/serviceusage.serviceUsageViewer"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member "serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com" \
    --role "roles/iam.roleViewer"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member "serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com" \
    --role "roles/iam.serviceAccountViewer"

What's next

Create an admin workstation (quickstart)