Version 1.8. This version is supported as outlined in the Anthos version support policy, offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware (GKE on-prem). Refer to the release notes for more details. This is the most recent version.

Create a service account (quickstart)

This document shows how to create a service account for accessing Anthos components.

The instructions here are part of a quickstart. For full instructions on using service accounts with Anthos clusters on VMware (GKE on-prem), see Service accounts and keys.

Before you begin

Create a Google Cloud project (quickstart).

Create a component access service account

Anthos clusters on VMware uses a service account to download Anthos components, on your behalf, from Container Registry. This account is called the component access service account.

This quickstart uses a single Google Cloud project. Your component access service account will be a child of that Cloud project and will be granted roles on that same Cloud project.

To create a component access service account:

gcloud iam service-accounts create component-access-sa \
    --display-name "Component Access Service Account" \
    --project PROJECT_ID

Replace PROJECT_ID with the ID of your Cloud project.

To create a JSON key for your component access service account:

gcloud iam service-accounts keys create component-access-key.json \
   --iam-account component-access-sa@[PROJECT_ID].iam.gserviceaccount.com

Granting roles to your component access service account

Your component access service account must be granted the following IAM roles on your Cloud project. These roles are required so that Anthos clusters on VMware can do preflight checks:

  • serviceusage.serviceUsageViewer
  • iam.serviceAccountCreator
  • iam.roleViewer

To grant roles:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member "serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com" \
    --role "roles/serviceusage.serviceUsageViewer"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member "serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com" \
    --role "roles/iam.serviceAccountCreator"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member "serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com" \
    --role "roles/iam.roleViewer"

What's next

Create an admin workstation (quickstart)