Google Cloud Service Accounts with Google Container Engine (GKE) - Tutorial
Applications running on Google Container Engine have access to other Google Cloud Platform services such as Stackdriver Trace and Cloud Pub/Sub. In order to access these services a Service Account must be created and used by client applications.
This tutorial will walk you through deploying the echo
application which creates Pub/Sub messages from HTTP requests and sends trace data to Stackdriver Trace.
Create a Service Account
The echo
application requires the following permissions:
- The ability to publish messages to a pub/sub topic.
- The ability to write trace data to Stackdriver Trace.
Create a service account for the echo
application:
export PROJECT_ID=$(gcloud config get-value core/project)
export SERVICE_ACCOUNT_NAME="echo-service-account"
gcloud iam service-accounts create ${SERVICE_ACCOUNT_NAME} \
--display-name "echo service account"
Add the pubsub.editor
and cloudtrace.agent
IAM permissions to the echo service account:
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/pubsub.editor'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/cloudtrace.agent'
echo
service account:
Generate and download the gcloud iam service-accounts keys create \
--iam-account "${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
service-account.json
Setup Google Pub/Sub Topics and Subscriptions
The echo
application publishes messages to the echo
topic. Create the echo
topic:
gcloud pubsub topics create echo
Once messages have been pushed to the echo
topic, they can be fetch using a subscription. Create the echo
subscription:
gcloud pubsub subscriptions create echo --topic echo
Test the echo
subscription:
gcloud pubsub subscriptions pull echo --auto-ack
Listed 0 items.
Deploy to Google Container Engine
The echo
application needs access to the echo service account created earlier. Create a Kubernetes secret from the service-account.json
file:
kubectl create configmap echo --from-literal "project-id=${PROJECT_ID}"
kubectl create secret generic echo --from-file service-account.json
Deploy the echo
container image using a replicaset:
kubectl create -f deployments/echo.yaml
At this point the gcr.io/hightowerlabs/echo
container image should be running:
kubectl get pods
NAME READY STATUS RESTARTS AGE
echo-6f5964c9fb-xh5zn 1/1 Running 0 1m
Publishing Messages
The echo
service is now running in the cluster on a private IP address. In a seperate terminal create a proxy to the echo
pod:
kubectl port-forward \
$(kubectl get pods -l app=echo -o jsonpath='{.items[0].metadata.name}') \
8080:8080
At this point the echo
service is available at http://127.0.0.1:8080/pubsub
Submit a request to the echo service
curl http://127.0.0.1:8080/pubsub -d 'Hello GKE!'
Fetch a message from the echo subscription:
gcloud pubsub subscriptions pull echo --auto-ack
ββββββββββββββ¬βββββββββββββββββ¬βββββββββββββ
β DATA β MESSAGE_ID β ATTRIBUTES β
ββββββββββββββΌβββββββββββββββββΌβββββββββββββ€
β Hello GKE! β 26699545805948 β β
ββββββββββββββ΄βββββββββββββββββ΄βββββββββββββ
Stckdriver Trace
The echo
application is configured to send 1 out of 10 request to Stackdriver. Once a trace has been submitted it will be viewable via the Stackdriver Trace dashboard.
Cleanup
kubectl delete configmap echo
kubectl delete secret echo
kubectl delete deployment echo
gcloud pubsub subscriptions delete echo
gcloud pubsub topics delete echo
gcloud iam service-accounts delete "${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"