From 5c1d3d64d8d37decc4f7c10da48edf737ea3753a Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Mon, 6 Sep 2021 14:38:56 +0100 Subject: [PATCH 01/13] First draft of docs on requestor pays access --- .../configure/pangeo-requestor-pays-access.md | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 docs/howto/configure/pangeo-requestor-pays-access.md diff --git a/docs/howto/configure/pangeo-requestor-pays-access.md b/docs/howto/configure/pangeo-requestor-pays-access.md new file mode 100644 index 000000000..8cbe748c9 --- /dev/null +++ b/docs/howto/configure/pangeo-requestor-pays-access.md @@ -0,0 +1,53 @@ +# Pangeo Data Access via Requestor Pays + +https://cloud.google.com/storage/docs/requester-pays + +```{note} +We may automate this in the future +``` + +## Steps to take on GCP + +1. Create a Service Account + +```bash +gcloud iam service-accounts create requestor-pays-sa \ + --description="Service Account to allow access to Pangeo data stored in the cloud" \ + --display-name="Requestor Pays Service Account" +``` + +where `requestor-pays-sa` will be the name of the Service Account. + +2. Assign Roles and Policy Bindings + +```bash +gcloud iam service-accounts add-iam-policy-binding \ + --role roles/iam.workloadIdentityUser \ + --member "serviceAccount:PROJECT_ID.svc.id.goog[CLUSTER_NAME/NAMESPACE]" \ + requestor-pays-sa@PROJECT_ID.iam.gserviceaccount.com +``` + +Where: + +- `PROJECT_ID` is the project ID of the Google Cloud Project. + Note: this is the **ID**, not the display name! +- `CLUSTER_NAME` is the name of the cluster to grant access to. +- `NAMESPACE` is the Kubernetes namespace/deployment to grant access to. + +3. Link the Google Service Account to the Kubernetes Service Account + +```bash +kubectl annotate serviceaccount \ + --namespace NAMESPACE \ + SERVICE_ACCOUNT_NAME \ + iam.gke.io/gcp-service-account=requestor-pays-sa@PROJECT_ID.iam.gserviceaccount.com +``` + +Where: + +- `NAMESPACE` is the target Kubernetes namespace +- `SERVICE_ACCOUNT_NAME` is the target Kubernetes service account name. + Usually, this is `user-sa`. + Run `kubectl --namespace NAMESPACE get serviceaccount` if you're not sure. +- `PROJECT_ID` is the project ID of the Google Cloud Project. + Note: this is the **ID**, not the display name! From 9ab819a276fe9cedae5efbdccd7bfcf6998294ac Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Tue, 7 Sep 2021 16:58:52 +0100 Subject: [PATCH 02/13] Flesh out and finish up docs on requester pays access --- .../configure/pangeo-requestor-pays-access.md | 84 +++++++++++++++---- 1 file changed, 67 insertions(+), 17 deletions(-) diff --git a/docs/howto/configure/pangeo-requestor-pays-access.md b/docs/howto/configure/pangeo-requestor-pays-access.md index 8cbe748c9..eb7c1efc1 100644 --- a/docs/howto/configure/pangeo-requestor-pays-access.md +++ b/docs/howto/configure/pangeo-requestor-pays-access.md @@ -1,53 +1,103 @@ -# Pangeo Data Access via Requestor Pays +# Pangeo Data Access via Requester Pays -https://cloud.google.com/storage/docs/requester-pays +For some hubs, such as our Pangeo deployments, the communities they serve require access to data stored in other projects. +Accessing data normally comes with a charge that the folks _hosting_ the data have to take care of. +However, there is a method by which those making the request are responsible for the charges instead: [Requester Pays](https://cloud.google.com/storage/docs/requester-pays). +This document shows the steps required to set this method up. + +## Setting up Requester Pays Access on GCP ```{note} -We may automate this in the future +We may automate these steps in the future. ``` -## Steps to take on GCP +Make sure you are logged into the `gcloud` CLI and have set the default project to be the one you wish to work with. -1. Create a Service Account +1. Create a new Service Account ```bash -gcloud iam service-accounts create requestor-pays-sa \ +gcloud iam service-accounts create requester-pays-sa \ --description="Service Account to allow access to Pangeo data stored in the cloud" \ - --display-name="Requestor Pays Service Account" + --display-name="Requester Pays Service Account" +``` + +where `requester-pays-sa` will be the name of the Service Account. + +```{note} +We create a separate service account for this so as to avoid granting excessive permissions to any single service account. +We may change this policy in the future. +``` + +2. Grant the Service Account roles on the project + +We will need to grant the [Service Usage Consumer](https://cloud.google.com/iam/docs/understanding-roles#service-usage-roles) and [Storage Object Viewer](https://cloud.google.com/iam/docs/understanding-roles#cloud-storage-roles) roles on the project to the new service account. + +```bash +gcloud projects add-iam-policy-binding \ + --role roles/serviceusage.serviceUsageConsumer \ + --member "serviceAccount:requester-pays-sa@PROJECT_ID.iam.gserviceaccount.com" \ + PROJECT_ID + +gcloud projects add-iam-policy-binding \ + --role roles/storage.objectViewer \ + --member "serviceAccount:requester-pays-sa@PROJECT_ID.iam.gserviceaccount.com" \ + PROJECT_ID ``` -where `requestor-pays-sa` will be the name of the Service Account. +where `PROJECT_ID` is the ID of the Google Cloud project, **not** the display name! -2. Assign Roles and Policy Bindings +3. Grant the Service Account the `workloadIdentityUser` role on the cluster + +We will now grant the [Workload Identity User](https://cloud.google.com/iam/docs/understanding-roles#service-accounts-roles) role to the cluster to act on behalf of the users. ```bash gcloud iam service-accounts add-iam-policy-binding \ --role roles/iam.workloadIdentityUser \ - --member "serviceAccount:PROJECT_ID.svc.id.goog[CLUSTER_NAME/NAMESPACE]" \ - requestor-pays-sa@PROJECT_ID.iam.gserviceaccount.com + --member "serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/SERVICE_ACCOUNT]" \ + requester-pays-sa@PROJECT_ID.iam.gserviceaccount.com ``` Where: - `PROJECT_ID` is the project ID of the Google Cloud Project. Note: this is the **ID**, not the display name! -- `CLUSTER_NAME` is the name of the cluster to grant access to. -- `NAMESPACE` is the Kubernetes namespace/deployment to grant access to. +- `NAMESPACE` is the Kubernetes namespace/deployment to grant access to +- `SERVICE_ACCOUNT` is the _Kubernetes_ service account to grant access to. + Usually, this is `user-sa`. + Run `kubectl --namespace NAMESPACE get serviceaccount` if you're not sure. -3. Link the Google Service Account to the Kubernetes Service Account +4. Link the Google Service Account to the Kubernetes Service Account + +We now link the two service accounts together so Kubernetes can use the Google API. ```bash kubectl annotate serviceaccount \ --namespace NAMESPACE \ - SERVICE_ACCOUNT_NAME \ - iam.gke.io/gcp-service-account=requestor-pays-sa@PROJECT_ID.iam.gserviceaccount.com + SERVICE_ACCOUNT \ + iam.gke.io/gcp-service-account=requester-pays-sa@PROJECT_ID.iam.gserviceaccount.com ``` Where: - `NAMESPACE` is the target Kubernetes namespace -- `SERVICE_ACCOUNT_NAME` is the target Kubernetes service account name. +- `SERVICE_ACCOUNT` is the target Kubernetes service account name. Usually, this is `user-sa`. Run `kubectl --namespace NAMESPACE get serviceaccount` if you're not sure. - `PROJECT_ID` is the project ID of the Google Cloud Project. Note: this is the **ID**, not the display name! + +5. RESTART THE HUB + +This is a very important step. +If you don't do this you won't see the changes applied. + +You can restart the hub by heading to `https:///hub/admin` (you need to be logged in as admin), clicking the "Shutdown Hub" button, and waiting for it to come back up. + +You can now test the requester pys access by starting a server on the hub and running the below code in a script or Notebook. + +```python +from intake import open_catalog + +cat = open_catalog("https://raw.githubusercontent.com/pangeo-data/pangeo-datastore/master/intake-catalogs/ocean/altimetry.yaml") +ds = cat['j3'].to_dask() +``` From 2486e1fd6e8630fbb4f8f1c3dd85bf62fd22f563 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Tue, 7 Sep 2021 16:59:45 +0100 Subject: [PATCH 03/13] Fix typo in filename --- ...o-requestor-pays-access.md => pangeo-requester-pays-access.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/howto/configure/{pangeo-requestor-pays-access.md => pangeo-requester-pays-access.md} (100%) diff --git a/docs/howto/configure/pangeo-requestor-pays-access.md b/docs/howto/configure/pangeo-requester-pays-access.md similarity index 100% rename from docs/howto/configure/pangeo-requestor-pays-access.md rename to docs/howto/configure/pangeo-requester-pays-access.md From 8e4756884d2d95379c04ee14b4ec575cccade70a Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Tue, 7 Sep 2021 17:01:48 +0100 Subject: [PATCH 04/13] Add requester pays docs to TOC --- docs/howto/configure/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/howto/configure/index.md b/docs/howto/configure/index.md index 27d7af0aa..f4456088e 100644 --- a/docs/howto/configure/index.md +++ b/docs/howto/configure/index.md @@ -4,4 +4,5 @@ auth-management.md update-env.md culling.md -``` \ No newline at end of file +pangeo-requester-pays-access.md +``` From f005cf64b504c23842ed9f92ba5b919929890693 Mon Sep 17 00:00:00 2001 From: Sarah Gibson <44771837+sgibson91@users.noreply.github.com> Date: Wed, 8 Sep 2021 10:31:10 +0100 Subject: [PATCH 05/13] Update docs/howto/configure/pangeo-requester-pays-access.md Co-authored-by: Chris Holdgraf --- docs/howto/configure/pangeo-requester-pays-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto/configure/pangeo-requester-pays-access.md b/docs/howto/configure/pangeo-requester-pays-access.md index eb7c1efc1..c92a6a7e5 100644 --- a/docs/howto/configure/pangeo-requester-pays-access.md +++ b/docs/howto/configure/pangeo-requester-pays-access.md @@ -93,7 +93,7 @@ If you don't do this you won't see the changes applied. You can restart the hub by heading to `https:///hub/admin` (you need to be logged in as admin), clicking the "Shutdown Hub" button, and waiting for it to come back up. -You can now test the requester pys access by starting a server on the hub and running the below code in a script or Notebook. +You can now test the requester pays access by starting a server on the hub and running the below code in a script or Notebook. ```python from intake import open_catalog From c85423a42b4fa5500cfb3a9f2e33c267907a2073 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Wed, 8 Sep 2021 10:41:50 +0100 Subject: [PATCH 06/13] Rename file to Data Access --- .../{pangeo-requester-pays-access.md => data-access.md} | 0 docs/howto/configure/index.md | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename docs/howto/configure/{pangeo-requester-pays-access.md => data-access.md} (100%) diff --git a/docs/howto/configure/pangeo-requester-pays-access.md b/docs/howto/configure/data-access.md similarity index 100% rename from docs/howto/configure/pangeo-requester-pays-access.md rename to docs/howto/configure/data-access.md diff --git a/docs/howto/configure/index.md b/docs/howto/configure/index.md index 9433cbbeb..ea18ef179 100644 --- a/docs/howto/configure/index.md +++ b/docs/howto/configure/index.md @@ -4,5 +4,5 @@ auth-management.md update-env.md culling.md -pangeo-requester-pays-access.md +data-access.md ``` From 7e909bcbf8cf9d1b1666bf18e1f0536735e353f2 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Wed, 8 Sep 2021 10:48:27 +0100 Subject: [PATCH 07/13] Use curly braces to denote values that should be replaced --- docs/howto/configure/data-access.md | 38 ++++++++++++++--------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/docs/howto/configure/data-access.md b/docs/howto/configure/data-access.md index c92a6a7e5..4fe0de4ed 100644 --- a/docs/howto/configure/data-access.md +++ b/docs/howto/configure/data-access.md @@ -35,16 +35,16 @@ We will need to grant the [Service Usage Consumer](https://cloud.google.com/iam/ ```bash gcloud projects add-iam-policy-binding \ --role roles/serviceusage.serviceUsageConsumer \ - --member "serviceAccount:requester-pays-sa@PROJECT_ID.iam.gserviceaccount.com" \ - PROJECT_ID + --member "serviceAccount:requester-pays-sa@{{ PROJECT_ID }}.iam.gserviceaccount.com" \ + {{ PROJECT_ID }} gcloud projects add-iam-policy-binding \ --role roles/storage.objectViewer \ - --member "serviceAccount:requester-pays-sa@PROJECT_ID.iam.gserviceaccount.com" \ - PROJECT_ID + --member "serviceAccount:requester-pays-sa@{{ PROJECT_ID }}.iam.gserviceaccount.com" \ + {{ PROJECT_ID }} ``` -where `PROJECT_ID` is the ID of the Google Cloud project, **not** the display name! +where `{{ PROJECT_ID }}` is the ID of the Google Cloud project, **not** the display name! 3. Grant the Service Account the `workloadIdentityUser` role on the cluster @@ -53,18 +53,18 @@ We will now grant the [Workload Identity User](https://cloud.google.com/iam/docs ```bash gcloud iam service-accounts add-iam-policy-binding \ --role roles/iam.workloadIdentityUser \ - --member "serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/SERVICE_ACCOUNT]" \ - requester-pays-sa@PROJECT_ID.iam.gserviceaccount.com + --member "serviceAccount:{{ PROJECT_ID }}.svc.id.goog[{{ NAMESPACE }}/{{ SERVICE_ACCOUNT }}]" \ + requester-pays-sa@{{ PROJECT_ID }}.iam.gserviceaccount.com ``` Where: -- `PROJECT_ID` is the project ID of the Google Cloud Project. +- `{{ PROJECT_ID }}` is the project ID of the Google Cloud Project. Note: this is the **ID**, not the display name! -- `NAMESPACE` is the Kubernetes namespace/deployment to grant access to -- `SERVICE_ACCOUNT` is the _Kubernetes_ service account to grant access to. +- `{{ NAMESPACE }}` is the Kubernetes namespace/deployment to grant access to +- `{{ SERVICE_ACCOUNT }}` is the _Kubernetes_ service account to grant access to. Usually, this is `user-sa`. - Run `kubectl --namespace NAMESPACE get serviceaccount` if you're not sure. + Run `kubectl --namespace {{ NAMESPACE }} get serviceaccount` if you're not sure. 4. Link the Google Service Account to the Kubernetes Service Account @@ -72,18 +72,18 @@ We now link the two service accounts together so Kubernetes can use the Google A ```bash kubectl annotate serviceaccount \ - --namespace NAMESPACE \ - SERVICE_ACCOUNT \ - iam.gke.io/gcp-service-account=requester-pays-sa@PROJECT_ID.iam.gserviceaccount.com + --namespace {{ NAMESPACE }} \ + {{ SERVICE_ACCOUNT }} \ + iam.gke.io/gcp-service-account=requester-pays-sa@{{ PROJECT_ID }}.iam.gserviceaccount.com ``` Where: -- `NAMESPACE` is the target Kubernetes namespace -- `SERVICE_ACCOUNT` is the target Kubernetes service account name. +- `{{ NAMESPACE }}` is the target Kubernetes namespace +- `{{ SERVICE_ACCOUNT }}` is the target Kubernetes service account name. Usually, this is `user-sa`. - Run `kubectl --namespace NAMESPACE get serviceaccount` if you're not sure. -- `PROJECT_ID` is the project ID of the Google Cloud Project. + Run `kubectl --namespace {{ NAMESPACE }} get serviceaccount` if you're not sure. +- `{{ PROJECT_ID }}` is the project ID of the Google Cloud Project. Note: this is the **ID**, not the display name! 5. RESTART THE HUB @@ -91,7 +91,7 @@ Where: This is a very important step. If you don't do this you won't see the changes applied. -You can restart the hub by heading to `https:///hub/admin` (you need to be logged in as admin), clicking the "Shutdown Hub" button, and waiting for it to come back up. +You can restart the hub by heading to `https://{{ hub_url }}/hub/admin` (you need to be logged in as admin), clicking the "Shutdown Hub" button, and waiting for it to come back up. You can now test the requester pays access by starting a server on the hub and running the below code in a script or Notebook. From 0d547f62e3c3b71c62e6e121a600785befe933a7 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Wed, 8 Sep 2021 10:48:48 +0100 Subject: [PATCH 08/13] Add top level Data Access title and reqork intro --- docs/howto/configure/data-access.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/howto/configure/data-access.md b/docs/howto/configure/data-access.md index 4fe0de4ed..313b4b3c8 100644 --- a/docs/howto/configure/data-access.md +++ b/docs/howto/configure/data-access.md @@ -1,9 +1,13 @@ -# Pangeo Data Access via Requester Pays +# Data Access + +Here we will document various ways to grant hubs access to external data. + +## Data Access via Requester Pays For some hubs, such as our Pangeo deployments, the communities they serve require access to data stored in other projects. Accessing data normally comes with a charge that the folks _hosting_ the data have to take care of. However, there is a method by which those making the request are responsible for the charges instead: [Requester Pays](https://cloud.google.com/storage/docs/requester-pays). -This document shows the steps required to set this method up. +This section demonstrates the steps required to setup this method. ## Setting up Requester Pays Access on GCP From 714b41f6ef46dd3bba33fe01e2962f60a68f4d3c Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Wed, 8 Sep 2021 10:51:02 +0100 Subject: [PATCH 09/13] Add a note about when certain steps should be run --- docs/howto/configure/data-access.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/howto/configure/data-access.md b/docs/howto/configure/data-access.md index 313b4b3c8..04fa12322 100644 --- a/docs/howto/configure/data-access.md +++ b/docs/howto/configure/data-access.md @@ -17,6 +17,12 @@ We may automate these steps in the future. Make sure you are logged into the `gcloud` CLI and have set the default project to be the one you wish to work with. +```{note} +Steps 1 and 2 only need to be run **when you create a new cluster**! + +From step 3 onwards only need to be repeated when **adding a new hub to an already existing cluster**! +``` + 1. Create a new Service Account ```bash From ea9e632baa94440939c8416a09c6f8d2d0cc2054 Mon Sep 17 00:00:00 2001 From: Sarah Gibson <44771837+sgibson91@users.noreply.github.com> Date: Wed, 8 Sep 2021 10:52:28 +0100 Subject: [PATCH 10/13] Update docs/howto/configure/data-access.md --- docs/howto/configure/data-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto/configure/data-access.md b/docs/howto/configure/data-access.md index 04fa12322..3ce483a57 100644 --- a/docs/howto/configure/data-access.md +++ b/docs/howto/configure/data-access.md @@ -9,7 +9,7 @@ Accessing data normally comes with a charge that the folks _hosting_ the data ha However, there is a method by which those making the request are responsible for the charges instead: [Requester Pays](https://cloud.google.com/storage/docs/requester-pays). This section demonstrates the steps required to setup this method. -## Setting up Requester Pays Access on GCP +### Setting up Requester Pays Access on GCP ```{note} We may automate these steps in the future. From 945ebbfebc05d52febd0cd05c76be18d643cd223 Mon Sep 17 00:00:00 2001 From: Sarah Gibson <44771837+sgibson91@users.noreply.github.com> Date: Wed, 8 Sep 2021 10:53:14 +0100 Subject: [PATCH 11/13] Update docs/howto/configure/data-access.md --- docs/howto/configure/data-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto/configure/data-access.md b/docs/howto/configure/data-access.md index 3ce483a57..d6f1c7f1b 100644 --- a/docs/howto/configure/data-access.md +++ b/docs/howto/configure/data-access.md @@ -27,7 +27,7 @@ From step 3 onwards only need to be repeated when **adding a new hub to an alrea ```bash gcloud iam service-accounts create requester-pays-sa \ - --description="Service Account to allow access to Pangeo data stored in the cloud" \ + --description="Service Account to allow access to external data stored elsewhere in the cloud" \ --display-name="Requester Pays Service Account" ``` From c6e309b80f2ce28eb0b3e41febbfa483102da7c8 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Wed, 8 Sep 2021 10:56:47 +0100 Subject: [PATCH 12/13] Add note on how to retreive PROJECT_ID --- docs/howto/configure/data-access.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/howto/configure/data-access.md b/docs/howto/configure/data-access.md index d6f1c7f1b..08a80de5f 100644 --- a/docs/howto/configure/data-access.md +++ b/docs/howto/configure/data-access.md @@ -56,6 +56,14 @@ gcloud projects add-iam-policy-binding \ where `{{ PROJECT_ID }}` is the ID of the Google Cloud project, **not** the display name! +````{note} +If you're not sure what `{{ PROJECT_ID }}` should be, you can run: + +```bash +gcloud config get-value project +``` +```` + 3. Grant the Service Account the `workloadIdentityUser` role on the cluster We will now grant the [Workload Identity User](https://cloud.google.com/iam/docs/understanding-roles#service-accounts-roles) role to the cluster to act on behalf of the users. From 7b8dacd14f12c973bc950e9dbcb77cb68793a953 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Fri, 10 Sep 2021 12:27:41 +0100 Subject: [PATCH 13/13] Update docs to have a requestor pays service account per hub rather than per cluster --- docs/howto/configure/data-access.md | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/docs/howto/configure/data-access.md b/docs/howto/configure/data-access.md index 08a80de5f..691d2fa7b 100644 --- a/docs/howto/configure/data-access.md +++ b/docs/howto/configure/data-access.md @@ -18,20 +18,21 @@ We may automate these steps in the future. Make sure you are logged into the `gcloud` CLI and have set the default project to be the one you wish to work with. ```{note} -Steps 1 and 2 only need to be run **when you create a new cluster**! - -From step 3 onwards only need to be repeated when **adding a new hub to an already existing cluster**! +These steps should be run every time a new hub is added to a cluster, to avoid sharing of credentials. ``` 1. Create a new Service Account ```bash -gcloud iam service-accounts create requester-pays-sa \ +gcloud iam service-accounts create {{ NAMESPACE }}-user-sa \ --description="Service Account to allow access to external data stored elsewhere in the cloud" \ --display-name="Requester Pays Service Account" ``` -where `requester-pays-sa` will be the name of the Service Account. +where: + +- `{{ NAMESPACE }}-user-sa` will be the name of the Service Account, and; +- `{{ NAMESPACE }}` is the name of the deployment, e.g. `staging`. ```{note} We create a separate service account for this so as to avoid granting excessive permissions to any single service account. @@ -45,16 +46,19 @@ We will need to grant the [Service Usage Consumer](https://cloud.google.com/iam/ ```bash gcloud projects add-iam-policy-binding \ --role roles/serviceusage.serviceUsageConsumer \ - --member "serviceAccount:requester-pays-sa@{{ PROJECT_ID }}.iam.gserviceaccount.com" \ + --member "serviceAccount:{{ NAMESPACE }}-user-sa@{{ PROJECT_ID }}.iam.gserviceaccount.com" \ {{ PROJECT_ID }} gcloud projects add-iam-policy-binding \ --role roles/storage.objectViewer \ - --member "serviceAccount:requester-pays-sa@{{ PROJECT_ID }}.iam.gserviceaccount.com" \ + --member "serviceAccount:{{ NAMESPACE }}-user-sa@{{ PROJECT_ID }}.iam.gserviceaccount.com" \ {{ PROJECT_ID }} ``` -where `{{ PROJECT_ID }}` is the ID of the Google Cloud project, **not** the display name! +where: + +- `{{ PROJECT_ID }}` is the ID of the Google Cloud project, **not** the display name! +- `{{ NAMESPACE }}` is the deployment namespace ````{note} If you're not sure what `{{ PROJECT_ID }}` should be, you can run: @@ -72,7 +76,7 @@ We will now grant the [Workload Identity User](https://cloud.google.com/iam/docs gcloud iam service-accounts add-iam-policy-binding \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:{{ PROJECT_ID }}.svc.id.goog[{{ NAMESPACE }}/{{ SERVICE_ACCOUNT }}]" \ - requester-pays-sa@{{ PROJECT_ID }}.iam.gserviceaccount.com + {{ NAMESPACE }}-user-sa@{{ PROJECT_ID }}.iam.gserviceaccount.com ``` Where: @@ -92,7 +96,7 @@ We now link the two service accounts together so Kubernetes can use the Google A kubectl annotate serviceaccount \ --namespace {{ NAMESPACE }} \ {{ SERVICE_ACCOUNT }} \ - iam.gke.io/gcp-service-account=requester-pays-sa@{{ PROJECT_ID }}.iam.gserviceaccount.com + iam.gke.io/gcp-service-account={{ NAMESPACE }}-user-sa@{{ PROJECT_ID }}.iam.gserviceaccount.com ``` Where: