gcp-service-account
This module can be used to create and manage a GCP service account via opta, including permissioning and mapping to kubernetes service accounts.
Map to K8s Service Account
You can designate your GCP service account to allow role assumption from a service account in one of your gke clusters.
This is done via the allowed_k8s_services field which takes as input a list of entries holding a namespace and
service_account_name field, corresponding to a given namespace+service_account to trust.
Warning: This trust will be for all clusters in the project, not just the current one of this environment.
For more information, you can read the official GCP docs here
Linking
This module can also be linked to other resources, like in the k8s-service. It will then have the desired permissions for said resources. Currently supported resources:
- GCS Bucket
Example
- name: deployer
type: gcp-service-account
allowed_k8s_services:
- namespace: "blah"
service_account_name: "baloney"
Fields
| Name | Description | Default | Required |
|---|---|---|---|
allowed_k8s_services |
K8s service accounts that this role should have access to. | [] |
False |
links |
A list of extra IAM role policies not captured by Opta which you wish to give to your service. | [] |
False |
additional_iam_roles |
A list of extra project-level iam roles to grant to the service account | [] |
False |
explicit_name |
An explicit name to give to your service account (warning– must be unique per account) | None |
False |
Outputs
| Name | Description |
|---|---|
service_account_id |
The id of the GCP service account created |
service_account_email |
The email of the GCP service account created |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.