When I'm working on a software project involving Google Cloud Platform's (GCP) API's I find the authentication mechanism that Google uses is really easy to use from inside a Kubernetes cluster hosted in a Google Container Engine (GKE). Google's authentication libraries typically look for the environment variable GOOGLE_APPLICATION_CREDENTIALS which should contain the absolute file path to the service account json file downloaded when creating service account credentials in the Google Cloud Platform console. Let's get started by creating service account credentials in the GCP console, next we will import the account credentials into a kubernetes secret, and finally reference the secret in our kubernetes deployment manifest.
Create service account credentials
To give the applications running on GKE access to Google Cloud Platform services, you need to use service accounts.
To create service account, go to Service Accounts on GCP Console and click Create Service Account:
- Specify a Service Account Name (for example,
- In the Role dropdown, select the role that has access to the GCP API your app is utilizing. Alternatively, "Project → Owner" has access to ALL GCP APIs in your account. USE OF "Project → Owner" IS TYPICALLY NOT RECOMMENDED!
- Choose key type as JSON.
- Click Create.
Once the service account is created, a JSON key file containing the credentials of the service account is downloaded to your computer. You will use this key file to configure the application to authenticate to the GCP API.
Import credentials as a Secret
Kubernetes offers the Secret resource type to store credentials inside the container cluster and use them in the applications deployed on GKE directly.
To save the JSON key file as a Secret named
myGcp-key, run the following command with the path to the downloaded service account credentials file:
kubectl create secret generic myGcp-key --from-file=key.json=PATH-TO-KEY-FILE.json
This command creates a Secret named
myGcp-key that has a
key.json file with the contents of the private key you downloaded from GCP Console. Once you create the Secret, you should remove the key file from your computer or store it in a safe location.
Configure the application with the Secret
To use the
myGcp-key Secret in your application, you need to modify the Deployment specification to:
- Define a volume with the secret.
- Mount the secret volume to the application container.
- Set the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable to point to the key file in the secret volume mount.
An example Kubernetes deployment manifest:
apiVersion: apps/v1 kind: Deployment metadata: name: pubsub spec: selector: matchLabels: app: pubsub template: metadata: labels: app: pubsub spec: volumes: - name: google-cloud-key secret: secretName: myGcp-key containers: - name: subscriber image: gcr.io/google-samples/pubsub-sample:v1 volumeMounts: - name: google-cloud-key mountPath: /var/secrets/google env: - name: GOOGLE_APPLICATION_CREDENTIALS value: /var/secrets/google/key.json