I have a service account created in terraform. I want to use it to deploy a workload using a docker image stored in artifacts.
resource "google_service_account" "artifact_reader" {
account_id = "artifact-reader"
display_name = "Artifact Reader Service Account for Deployments"
project = var.project_id
}
resource "google_project_iam_binding" "artifact_reader_binding" {
project = var.project_id
role = "roles/editor"
members = [
"serviceAccount:${google_service_account.artifact_reader.email}"
]
}
it creates a service which can be viewed with gcloud iam service-accounts describe
and give the result:
displayName: Artifact Reader Service Account for Deployments
email: artifact-reader@as1.iam.gserviceaccount.com
etag: MDEwMjE5MjA=
name: projects/as1/serviceAccounts/artifact-reader@as1.iam.gserviceaccount.com
oauth2ClientId: '116283672136579491873'
projectId: as1
uniqueId: '116283672136579491873'
so far so good...
my yaml file contains the Stateful Set definition:
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: my-ssh
labels:
app: ssh
spec:
replicas: 1
selector:
matchLabels:
app: ssh
template:
metadata:
labels:
app: ssh
spec:
serviceAccountName: artifact-reader@as1.iam.gserviceaccount.com
containers:
- name: ssh
image: europe-north1-docker.pkg.dev/as1/bounce/bounce:latest
ports:
- containerPort: 22
But then during the deployment I am getting errors:
create Pod my-ssh-0 in StatefulSet my-ssh failed error: pods "my-ssh-0" is forbidden: error looking up service account default/artifact-reader@as1.iam.gserviceaccount.com: serviceaccount "artifact-reader@as1.iam.gserviceaccount.com" not found
I am guessing the "default/" is the namespace but I was not modifying the namespaces anywhere in the yaml file or while creating the service account so both the service account and the deployments should be in the same namespace(?). I also tried creating another service account, inside the yaml file, but then it does not have the permissions for the artifacts repo and also ends with errors. I am missing some piece of a puzzle here. How can I make the deployment succeed?
It's confusing but ...
Google (aka IAM) Service Accounts != Kubernetes Service Accounts.
You cannot use a Google (IAM) Service Account ({account}@{project}.iam.gserviceaccount.com
) as a Kubernetes Service Account
There are various ways that you configure a Kubernetes Service Account to impersonate a Google (IAM) Service Account; effectively, A Google (IAM) Service Account becomes "twinned" with a Kubernetes Service Account.
The preferred mechanism is Workload Identity Federation (WIF). Although it's somewhat tortuous to enable|configure, it works very well and is an elegant solution.
See: