gcp-service-account

Creates a GCP service account

This module can be used to create and manage a GCP service account via opta, including permissioning and mapping to kubernetes service accounts.

Map to K8s Service Account

You can designate your GCP service account to allow role assumption from a service account in one of your gke clusters. This is done via the allowed_k8s_services field which takes as input a list of entries holding a namespace and service_account_name field, corresponding to a given namespace+service_account to trust.

Warning: This trust will be for all clusters in the project, not just the current one of this environment.

For more information, you can read the official GCP docs here

Linking

This module can also be linked to other resources, like in the k8s-service. It will then have the desired permissions for said resources. Currently supported resources:

  • GCS Bucket

Example

  - name: deployer
    type: gcp-service-account
    allowed_k8s_services:
      - namespace: "blah"
        service_account_name: "baloney"

Fields

Name Description Default Required
allowed_k8s_services K8s service accounts that this role should have access to. [] False
links A list of extra IAM role policies not captured by Opta which you wish to give to your service. [] False

Outputs

Name Description
service_account_id The id of the GCP service account created
service_account_email The email of the GCP service account created