kubernetesgcloudservice-accounts

Problem using service accounts in gke deployment


I have a service account created in terraform. I want to use it to deploy a workload using a docker image stored in artifacts.

resource "google_service_account" "artifact_reader" {
 account_id = "artifact-reader" 
 display_name = "Artifact Reader Service Account for Deployments"

 project = var.project_id 
}

resource "google_project_iam_binding" "artifact_reader_binding" {
 project = var.project_id
 role = "roles/editor" 

 members = [
 "serviceAccount:${google_service_account.artifact_reader.email}"
 ]
}

it creates a service which can be viewed with gcloud iam service-accounts describe and give the result:

displayName: Artifact Reader Service Account for Deployments
email: artifact-reader@as1.iam.gserviceaccount.com
etag: MDEwMjE5MjA=
name: projects/as1/serviceAccounts/artifact-reader@as1.iam.gserviceaccount.com
oauth2ClientId: '116283672136579491873'
projectId: as1
uniqueId: '116283672136579491873'

so far so good...

my yaml file contains the Stateful Set definition:

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
 name: my-ssh
 labels:
 app: ssh
spec:
 replicas: 1
 selector:
 matchLabels:
 app: ssh
 template:
 metadata:
 labels:
 app: ssh
 spec:
 serviceAccountName: artifact-reader@as1.iam.gserviceaccount.com 
 containers:
 - name: ssh 
 image: europe-north1-docker.pkg.dev/as1/bounce/bounce:latest
 ports:
 - containerPort: 22

But then during the deployment I am getting errors:

create Pod my-ssh-0 in StatefulSet my-ssh failed error: pods "my-ssh-0" is forbidden: error looking up service account default/artifact-reader@as1.iam.gserviceaccount.com: serviceaccount "artifact-reader@as1.iam.gserviceaccount.com" not found

I am guessing the "default/" is the namespace but I was not modifying the namespaces anywhere in the yaml file or while creating the service account so both the service account and the deployments should be in the same namespace(?). I also tried creating another service account, inside the yaml file, but then it does not have the permissions for the artifacts repo and also ends with errors. I am missing some piece of a puzzle here. How can I make the deployment succeed?


Solution

  • It's confusing but ...

    Google (aka IAM) Service Accounts != Kubernetes Service Accounts.

    You cannot use a Google (IAM) Service Account ({account}@{project}.iam.gserviceaccount.com) as a Kubernetes Service Account

    There are various ways that you configure a Kubernetes Service Account to impersonate a Google (IAM) Service Account; effectively, A Google (IAM) Service Account becomes "twinned" with a Kubernetes Service Account.

    The preferred mechanism is Workload Identity Federation (WIF). Although it's somewhat tortuous to enable|configure, it works very well and is an elegant solution.

    See: