This document shows how to create a service account for accessing GKE Enterprise components.
The instructions here are part of a quickstart. For full instructions on using service accounts with Google Distributed Cloud, see Service accounts and keys.
Before you begin
Create a Google Cloud project (quickstart).
Create a component access service account
Google Distributed Cloud uses a service account to download GKE Enterprise components, on your behalf, from Container Registry. This account is called the component access service account.
This quickstart uses a single Google Cloud project. Your component access service account will be a child of that Google Cloud project and will be granted roles on that same Google Cloud project.
To create a component access service account:
gcloud iam service-accounts create component-access-sa \ --display-name "Component Access Service Account" \ --projectPROJECT_ID
Replace PROJECT_ID with the ID of your Google Cloud project.
To create a JSON key for your component access service account:
gcloud iam service-accounts keys create component-access-key.json \ --iam-account component-access-sa@[PROJECT_ID]
Granting roles to your component access service account
Your component access service account must be granted the following IAM roles on your Google Cloud project. These roles are required so that Google Distributed Cloud can do preflight checks:
To grant roles:
gcloud projects add-iam-policy-bindingPROJECT_ID \ --member "serviceAccount:component-access-sa@[PROJECT_ID]" \ --role "roles/serviceusage.serviceUsageViewer" gcloud projects add-iam-policy-bindingPROJECT_ID \ --member "serviceAccount:component-access-sa@[PROJECT_ID]" \ --role "roles/iam.serviceAccountCreator" gcloud projects add-iam-policy-bindingPROJECT_ID \ --member "serviceAccount:component-access-sa@[PROJECT_ID]" \ --role "roles/iam.roleViewer"
What's next
Create an admin workstation (quickstart)