Service accounts are the accounts that workloads or services use to programmatically consume resources and access microservices securely. They are a special kind of identity used by an application or workload rather than by a person. Similar to a user account, service accounts can be granted permissions and roles but they can't sign in like a human user.
Service accounts are useful for managing Google Distributed Cloud (GDC) air-gapped appliance infrastructure, such as:
- Internal GDC air-gapped appliance services and workloads to securely access GDC air-gapped appliance control plane application programming interface (API).
- Customer workloads in GDC air-gapped appliance to access GDC air-gapped appliance services and make authorized application programming interface (API) calls.
- External workloads to federate with GDC air-gapped appliance.
- GDC air-gapped appliance services or system controllers to securely access customer resources. For example, service accounts can manage authentication and authorization workflows where the service controllers running in the bare metal Kubernetes cluster must run workloads managed by customers.
You can manage accounts by using the GDC console or
the gdcloud CLI. With the gdcloud CLI, the service
identity feature is built upon the ProjectServiceAccount API.
Before you begin
You can create service accounts only within a project. For more information , see Create a project.
Create a service identity
To get the permissions required to create service accounts, ask your
Project IAM Admin to grant you the Project IAM Admin (project-iam-admin)
role.
Users with access to service accounts can access all service accounts within a project.
To create service identities in a project, use the GDC console or the gdcloud CLI.
Console
- Sign in to the GDC console.
- In the navigation menu, select Identity & Access > Service identities.
- Click Create Service Identity. The Service Identity details page opens.
- In the Service identity name field, enter a name for your service
identity. For example:
Test service identity. - Click Create.
gdcloud
Create a service identity:
gdcloud iam service-accounts create NAME \
--project=PROJECT
Replace the following values:
- NAME: the name of the
ProjectServiceAccount. The name must be unique within the project namespace. - PROJECT: the project to create the service
identity in. If
gdcloud initis already set, omit the--projectflag.
This command creates a ProjectServiceAccount in the project namespace.
View service identities
To view a list of service accounts in a project, use the GDC console or the gdcloud CLI.
Console
- Sign in to the GDC console.
- Select a project.
- In the navigation menu, click Identity & Access > Service Identities to view the list of service accounts for the project.
gdcloud
List the service accounts in a project:
gdcloud iam service-accounts list \
--project=PROJECT
Assign a role binding to the service identity
To assign a role binding, you must have the proper permissions. To get the
permissions required to assign roles, ask your Project IAM Admin to grant
you the Project IAM Admin (project-iam-admin) role.
Use either the GDC console or the gdcloud CLI to assign a role binding.
Console
- Sign in to the GDC console.
- Select a project.
- In the navigation menu, select Identity & Access > Access.
- In the Member list, click Add member. You see the Users and roles page.
- Select Service identity in the Member type list.
- In the Service identity list, select the service identity you want to assign a role binding.
- In the Role list, select the role that you want to assign to the service identity, such as Backup Creator.
- Optional: To add another role, click Add another role. Select the additional role.
- Click Add.
gdcloud
This command creates and names the project role binding to bind the
specified role with the ProjectServiceAccount:
gdcloud iam service-accounts add-iam-policy-binding \
--project=PROJECT \
--role=ROLE \
--iam-account=NAME
Replace the following values:
- PROJECT: the project to create the role binding
in.
If
gdcloud initis already set, then you can omit the--projectflag. - ROLE: the predefined role to assign to the
ProjectServiceAccount. Specify roles in the formatRole/namewhere Role is the Kubernetes type, such asRoleorProjectRole, and name is the name of the predefined role. For example, to assign the Project Viewer role, set the role toRole/project-viewer. - NAME: the name of the service identity to use.
Delete a service identity
To delete service accounts in a project, use theGDC console or the gdcloud CLI.
Console
- Sign in to the GDC console.
- In the navigation menu, select Identity & Access > Service Identities.
- Select the checkbox of the service identity that you want to delete.
- Click Delete.
- The confirmation dialog appears. In the
Confirm by typing the following below field, enter
remove. - Click Delete.
gdcloud
Run the following command to delete a service identity:
gdcloud iam service-accounts delete NAME \
--project=PROJECT
Create and add key pairs
To create and add key pairs in a project, use the GDC console or the gdcloud CLI.
Console
- Sign in to the GDC console.
- In the navigation menu, select Identity & Access > Service Identities.
- Click the name of the service identity you want to add in the key.
- Click Create New Key.
- The new key appears in the Keys list, and a dialog confirms you've created the key successfully.
gdcloud
This command creates the application default credentials JSON file and the public and private key pairs:
gdcloud iam service-accounts keys create APPLICATION_DEFAULT_CREDENTIALS_FILENAME \
--project=PROJECT \
--iam-account=NAME \
--ca-cert-path=CA_CERTIFICATE_PATH
Replace the following values:
- APPLICATION_DEFAULT_CREDENTIALS_FILENAME: the name of the JSON file.
- PROJECT : selects the project to create the key for.
If
gdcloud initis already set, then you can omit the--projectflag. - NAME: the name of the service identity to add the key for.
- CA_CERTIFICATE_PATH: Optional: the certificate authority (CA) certificate path to verify the authentication endpoint. If you do not specify this path, the system CA certificates are used. You must install the CA in the system CA certificates.
GDC air-gapped appliance adds the public key to the ProjectServiceAccount
keys you use to verify the JSON web tokens (JWT) the private key signs. The
private key writes to the application default credentials JSON file.
The following example shows the application default credentials JSON file:
{
"type": "gdch_service_account",
"format_version": "1",
"project": "project_name",
"private_key_id": "abcdef1234567890",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nETC\n-----END RSA PRIVATE KEY-----\n",
"name": "service_identity_name",
"ca_cert_path": "service_identity_name",
"token_uri": "https://service-identity.<Domain>/authenticate"
}
This example uses the following values:
project: the project namespace in the organization.private_key_id: the ID assigned to the key.private_key: the private key the CLI generates.name: the name of the service identity.token_uri: the address of the authentication endpoint.
List credentials for service accounts
List the public keys from a specific ProjectServiceAccount in the
project:
gdcloud iam service-accounts keys list \
--project=PROJECT \
--iam-account=NAME
Delete credentials
To delete the public key, use the GDC console or the gdcloud CLI.
Console
- Sign in to the GDC console.
- In the navigation menu, select Identity & Access > Service Identities.
- Click the name of the service identity that has the key you want to delete.
- Click Delete.
- In the confirmation dialog, click Delete.
gdcloud
Remove the public key with the key ID from the specific ProjectServiceAccount
in the project:
gdcloud iam service-accounts keys delete KEY_ID \
--project=PROJECT \
--iam-account=NAME