Service accounts and keys

This page explains the Google Cloud service accounts and keys that you need to install Anthos GKE on-prem (GKE on-prem).

Overview of service accounts

Before you install GKE on-prem, you need to have these service accounts:

  • Whitelisted service account
  • Connect-register service account
  • Connect-agent service account
  • Logging service account

Whitelisted service account

You already have a whitelisted service account.

If you have not already created a JSON key file for your whitelisted service account, create one now:

gcloud iam service-accounts keys create whitelisted-key.json \
   --iam-account [WHITELISTED_SERVICE_ACCOUNT_EMAIL]

where [WHITELISTED_SERVICE_ACCOUNT_EMAIL] is the email address of your whitelisted service account.

Other service accounts

Depending on how you created your admin workstation, you might already have the required service accounts.

Case 1: gkeadm created service accounts for you.

If you used gkeadm to create your admin workstation and you passed the --auto-create-service-accounts flag, then gkeadm did the following for you:

  • Created a connect-register service account. Granted the appropriate Cloud IAM roles to the connect-register service account. Created a JSON key file for the connect-register service account. Copied the JSON key file to your admin workstation.

  • Created a connect-agent service account. Granted the appropriate Cloud IAM roles to the connect-agent service account. Created a JSON key file for the connect-agent service account. Copied the JSON key file to your admin workstation.

  • Created a logging service account. Granted the appropriate Cloud IAM roles to the logging service account. Created a JSON key file for the logging service account. Copied the JSON key file to your admin workstation.

Case 2: gkeadm did not create service accounts for you.

If you did not use gkeadm with the --auto-create-service-accounts flag to create your admin workstation, then you must create your own service accounts. Also, for each service account, you must create a JSON key file and grant the appropriate Cloud IAM roles.

Creating your own service accounts

If you already have service accounts as described in Case 1, you can skip this section.

This section shows how to create the service accounts that you need to install and use GKE on-prem. It also shows how to create JSON key files for your service accounts and how to grant the appropriate Cloud IAM roles to your service accounts.

Connect-register service account

Connect for Anthos uses this service account to register your GKE on-prem clusters with Google Cloud Console.

Create your connect-register service account::

gcloud iam service-accounts create connect-register-service-account

Create a key for your connect-register service account:

gcloud iam service-accounts keys create connect-register-key.json \
   --iam-account [CONNECT_REGISTER_SERVICE_ACCOUNT_EMAIL]

where [CONNECT_REGISTER_SERVICE_ACCOUNT_EMAIL] is the email address of your connect-register service account.

Grant the gkehub.admin and serviceuseage.serviceUsageViewer roles to your connect-register service account:

gcloud projects add-iam-policy-binding [CONNECT_PROJECT_ID] \
--member "serviceAccount:[CONNECT_REGISTER_SERVICE_ACCOUNT_EMAIL]" \
--role "roles/gkehub.admin"
gcloud projects add-iam-policy-binding [CONNECT_PROJECT_ID] \
--member "serviceAccount:[CONNECT_REGISTER_SERVICE_ACCOUNT_EMAIL]" \
--role "roles/serviceusage.serviceUsageViewer"

where [CONNECT_PROJECT_ID] is the ID of the project where you want to register and maintain a connection to your GKE on-prem clusters.

Connect-agent service account

Connect for Anthos uses this service account to maintain a connection between GKE on-prem and Google Cloud.

Create your connect-agent service account:

gcloud iam service-accounts create connect-agent-service-account

Create a key for your connect-agent service account:

gcloud iam service-accounts keys create connect-agent-key.json \
   --iam-account [CONNECT_AGENT_SERVICE_ACCOUNT_EMAIL]

where [CONNECT_AGENT_SERVICE_ACCOUNT_EMAIL] is the email address of your connect-agent service account.

Grant the gkehub.connect role to your connect-agent service account:

gcloud projects add-iam-policy-binding [CONNECT_PROJECT_ID] \
--member "serviceAccount:[CONNECT_AGENT_SERVICE_ACCOUNT_EMAIL]" \
--role "roles/gkehub.connect"

where [CONNECT_PROJECT_ID] is the ID of the project where you want to register and maintain a connection to your GKE on-prem clusters.

Logging service account

Connect for Anthos uses this service account to export logs from clusters to Cloud Logging by way of your Google Cloud project.

Create your logging service account:

gcloud iam service-accounts create logging-service-account

Create a key for your logging service account:

gcloud iam service-accounts keys create logging-key.json \
   --iam-account [LOGGING_SERVICE_ACCOUNT_EMAIL]

where [LOGGING_SERVICE_ACCOUNT_EMAIL] is the email address of your logging service account.

Grant the stackdriver.resourceMetadata.writer, logging.logWriter, and monitoring.metricWriter roles to your logging service account:

gcloud projects add-iam-policy-binding [LOGGING_PROJECT_ID] \
--member "serviceAccount:[LOGGING_SERVICE_ACCOUNT_EMAIL]" \
--role "roles/stackdriver.resourceMetadata.writer"
gcloud projects add-iam-policy-binding [LOGGING_PROJECT_ID] \
--member "serviceAccount:[LOGGING_SERVICE_ACCOUNT_EMAIL]" \
--role "roles/logging.logWriter"
gcloud projects add-iam-policy-binding [LOGGING_PROJECT_ID] \
--member "serviceAccount:[LOGGING_SERVICE_ACCOUNT_EMAIL]" \
--role "roles/monitoring.metricWriter"

where [LOGGING_PROJECT_ID] is the ID of the project where you want to view logs for your GKE on-prem clusters.