Authenticate as Google Service Account

Question

Authenticate as Google Service Account

itmecho opened this issue 5 years ago · 5 comments

I've created a service account in the Google cloud console and am struggling to find out how to authenticate as that service account via kubectl. The idea is that our deployment server should be able to execute kubectl set image deployment ... against the cluster but to do that, it needs to authenticate. It makes more sense to use a service account as opposed to a normal IAM user account in this situation.

Is this possible using dexter? If not, does anyone know of an example I can look at for how to achieve this?

Answer 1 · 2019-11-21T16:47:29.000Z

I think dexter will not help you in this situation as OIDC is not involved here. I'm not really an expert on GCP so I will need to do more research to help you. Are you trying to access the API (with kubectl) from a pod running in kubernetes or from a VM? If you run in k8s you could just use a k8s serviceaccount and it should work our of the box if RBAC is setup correctly.

Answer 2 · 2019-11-25T15:49:36.000Z

Anything else I can help you with?

Answer 3 · 2019-11-26T16:28:55.000Z

Thanks for getting back to me! I couldn't see anything in the docs about it so I assumed it wasn't supported. I was just wondering as when I run the following commands, I get an OpenID connect token so I wasn't sure if it was possible to implement somehow?

gcloud auth activate-service-account  --key-file /path/to/key.file
gcloud auth print-identity-token deployer@myproject.iam.gserviceaccount.com

Answer 4 · 2019-11-27T13:04:46.000Z

Thank you for the update. From the top of my head I don't think this is a use-case for dexter. The classic OpenID flow doesn't really match the GCP service account usecase. There's no login from a real user, no callback, ... Sorry

Answer 5 · 2019-11-28T17:11:04.000Z

Cool, thanks for letting me know!