When I'm working on a software project involving Google Cloud Platform's (GCP) API's I find the authentication mechanism that Google uses is really easy to use from inside a Kubernetes cluster hosted in a Google Container Engine (GKE).  Google's authentication libraries typically look for the environment variable GOOGLE_APPLICATION_CREDENTIALS which should contain the absolute file path to the service account json file downloaded when creating service account credentials in the Google Cloud Platform console. Let's get started by creating service account credentials in the GCP console, next we will import the account credentials into a kubernetes secret, and finally reference the secret in our kubernetes deployment manifest.

Create service account credentials

To give the applications running on GKE access to Google Cloud Platform services, you need to use service accounts.

To create service account, go to Service Accounts on GCP Console and click Create Service Account:

  1. Specify a Service Account Name (for example, my-super-cool-app).
  2. In the Role dropdown, select the role that has access to the GCP API your app is utilizing. Alternatively, "Project → Owner" has access to ALL GCP APIs in your account.  USE OF "Project → Owner" IS TYPICALLY NOT RECOMMENDED!
  3. Choose key type as JSON.
  4. Click Create.

Once the service account is created, a JSON key file containing the credentials of the service account is downloaded to your computer. You will use this key file to configure the application to authenticate to the GCP API.

Import credentials as a Secret

Kubernetes offers the Secret resource type to store credentials inside the container cluster and use them in the applications deployed on GKE directly.

To save the JSON key file as a Secret named myGcp-key, run the following command with the path to the downloaded service account credentials file:

kubectl create secret generic myGcp-key --from-file=key.json=PATH-TO-KEY-FILE.json

This command creates a Secret named myGcp-key that has a key.json file with the contents of the private key you downloaded from GCP Console. Once you create the Secret, you should remove the key file from your computer or store it in a safe location.

Configure the application with the Secret

To use the myGcp-key Secret in your application, you need to modify the Deployment specification to:

  1. Define a volume with the secret.
  2. Mount the secret volume to the application container.
  3. Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the key file in the secret volume mount.

An example Kubernetes deployment manifest:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: pubsub
spec:
  selector:
    matchLabels:
      app: pubsub
  template:
    metadata:
      labels:
        app: pubsub
    spec:
      volumes:
      - name: google-cloud-key
        secret:
          secretName: myGcp-key
      containers:
      - name: subscriber
        image: gcr.io/google-samples/pubsub-sample:v1
        volumeMounts:
        - name: google-cloud-key
          mountPath: /var/secrets/google
        env:
        - name: GOOGLE_APPLICATION_CREDENTIALS
          value: /var/secrets/google/key.json