Version 1.2. This version is not fully supported. For the latest patches and updates for security vulnerabilities, exposures, and issues impacting GKE On-Prem, upgrade to a fully supported version. You can find the most recent version here.

Creating service accounts and keys

This page shows how to create the Google Cloud service accounts and keys that you need to install GKE on-prem.

SSH into your admin workstation

SSH into your admin workstation:

ssh -i ~/.ssh/vsphere_workstation ubuntu@[IP_ADDRESS]

where [IP_ADDRESS] is the IP address of your admin workstation.

Do all of the remaining steps in this topic on your admin workstation.

Logging in

Log in to Google Cloud using your account credentials:

gcloud auth login

Overview of service accounts

Before you install GKE on-prem, you need to create four service accounts in your Google Cloud project. You also need to create a JSON key for each service account. These are the service accounts you need:

  • Allowlisted service account
  • Connect service account
  • Register service account
  • Google Cloud's operations suite service account

List your service accounts:

gcloud iam service-accounts list

The output shows the email addresses of your service accounts:

whitelisted-service-account@my-gcp-project.iam.gserviceaccount.com
some-other-service-account@my-gcp-project.iam.gserviceaccount.com
...

Take note of each account's email address.

Allowlisted service account

You already have a allowlisted service account.

Create a key for your allowlisted service account:

gcloud iam service-accounts keys create whitelisted-key.json \
   --iam-account [ALLOWLISTED_SERVICE_ACCOUNT_EMAIL]

where [ALLOWLISTED_SERVICE_ACCOUNT_EMAIL] is the email address of your allowlisted service account.

Connect service account

Connect uses this service account to maintain a connection between GKE on-prem and Google Cloud.

Create your Connect service account:

gcloud iam service-accounts create connect-service-account

Create a key for your Connect service account:

gcloud iam service-accounts keys create connect-key.json \
   --iam-account [Connect_SERVICE_ACCOUNT_EMAIL]

where [Connect_SERVICE_ACCOUNT_EMAIL] is the email address of your Connect service account.

Register service account

Connect uses this service account to register your GKE on-prem clusters with Google Cloud Console.

Create your register service account:

gcloud iam service-accounts create register-service-account

Create a key for your register service account:

gcloud iam service-accounts keys create register-key.json \
   --iam-account [REGISTER_SERVICE_ACCOUNT_EMAIL]

where [REGISTER_SERVICE_ACCOUNT_EMAIL] is the email address of your register service account.

Google Cloud's operations suite service account

Connect uses this service account to export cluster logs from clusters to Stackdriver by way of your GCP project.

Create your Google Cloud's operations suite service account:

gcloud iam service-accounts create stackdriver-service-account

Create a key for your Google Cloud's operations suite service account:

gcloud iam service-accounts keys create stackdriver-key.json \
   --iam-account [Google Cloud's operations suite_SERVICE_ACCOUNT_EMAIL]

where [Google Cloud's operations suite_SERVICE_ACCOUNT_EMAIL] is the email address of your Google Cloud's operations suite service account.

At this point, you have created four service accounts in your Google Cloud project, and you have a JSON key for each service account on your admin workstation.

Assigning Identity and Access Management roles to your service accounts

Each of your service accounts needs to have certain IAM roles. It is a good practice to grant each service account the minimum set of roles that it needs.

First, list the service accounts in your Google Cloud project:

gcloud iam service-accounts list

The output shows the email addresses of your service accounts:

whitelisted-service-account@my-gcp-project.iam.gserviceaccount.com
register-service-account@my-gcp-project.iam.gserviceaccount.com
connect-service-account@my-gcp-project.iam.gserviceaccount.com
stackdriver-service-account@my-gcp-project.iam.gserviceaccount.com

Take note of each account's email address. For each of the following sections, you provide the relevant account's email address.

Register service account

Grant the gkehub.admin and serviceuseage.serviceUsageViewer roles to your register service account:

gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member "serviceAccount:[REGISTER_SERVICE_ACCOUNT_EMAIL]" \
--role "roles/gkehub.admin"
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member "serviceAccount:[REGISTER_SERVICE_ACCOUNT_EMAIL]" \
--role "roles/serviceusage.serviceUsageViewer"

Connect service account

Grant the gkehub.connect role to your Connect service account:

gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member "serviceAccount:[Connect_SERVICE_ACCOUNT_EMAIL]" \
--role "roles/gkehub.connect"

Google Cloud's operations suite service account

Grant the stackdriver.resourceMetadata.writer, logging.logWriter, and monitoring.metricWriter roles to your Google Cloud's operations suite service account:

gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member "serviceAccount:[Google Cloud's operations suite_SERVICE_ACCOUNT_EMAIL]" \
--role "roles/stackdriver.resourceMetadata.writer"
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member "serviceAccount:[Google Cloud's operations suite_SERVICE_ACCOUNT_EMAIL]" \
--role "roles/logging.logWriter"
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member "serviceAccount:[Google Cloud's operations suite_SERVICE_ACCOUNT_EMAIL]" \
--role "roles/monitoring.metricWriter"