A helper script I use for running kubectl as a service account for GKE clusters. This is only intended for my personal use, but if anyone else happens to find this useful, that would be great.
jq(OSX users can runbrew install jq)gcloudkubectl(gcloudusers can rungcloud components install kubectl)
- Copy the contents of the
kube-service-account.shscript to your~/.zshrc - Use
gcloud auth activate-service-accountto import service account credentials using a JSON key file - Run
kube-service-accountand select the credentials you want to use - Use
kubectltto run any commands yoy normally would under the context of the service account
-
Create a GKE Cluster:
gcloud container clusters create kube-service-account-test \ --project my-project \ --zone us-central1-f \ --cluster-version 1.8.7-gke.1 \ --machine-type n1-standard-1 \ --num-nodes 1 \ --image-type COS \ --disk-size 10 -
Add the cluster credentials to your local kubeconfig:
gcloud container clusters get-credentials kube-service-account-test \ --project my-project \ --zone us-central1-f -
Create a service account:
gcloud iam service-accounts create test-service-account \ --project my-project \ --display-name test-service-account -
Create a JSON key for the service account:
gcloud iam service-accounts keys create key.json \ --project my-project \ --iam-account test-service-account@my-project.iam.gserviceaccount.com -
Activate the service account credentials using the JSON key:
gcloud auth activate-service-account --key-file key.json
-
Run the
kube-service-accountscript to configure thekubectltalias to use your service account's credentials:kube-service-account
-
Use the
kubectltalias to attempt to create a deployment:$ kubectlt run ubuntu --image ubuntu Error from server (Forbidden): deployments.extensions is forbidden: User "test-service-account@my-project.iam.gserviceaccount.com" cannot create deployments.extensions in the namespace "default": Required "container.deployments.create" permission.
I have only used / tested this in zsh.