feat: configure Google Cloud Service Account on GKE for Cloud Storage Permissions

[shon-button]

Using Google Cloud Service Account on GKE

What is a Service Account?

Service accounts are a primitive within the IAM (Identity & Access Management) service provided by GCP. They provide a mechanism for non-humans to be able to interact with Google Cloud APIs in a controlled and managed way. It allows for both authentication and authorization but also rate limiting, auditing, and monitoring.

A lot more information on service accounts is available in the GCP documentation.

What is a GKE?

GKE is a managed Kubernetes offering by Google Cloud Platform (GCP). The services that you deploy work together to form the application. Each service needs to be able to communicate with its neighbours and that communication typically needs to authenticated and authorised.
When you create the cluster, you provide a service account and set of scopes (or permissions) that make up the default credentials that the underlying nodes (aka VMs) will use to access other Google Cloud Services.

The default for new clusters is to use the “Compute Engine” default service account along with the default set of scopes defined, including:

• Read-only access to Google Cloud Storage (GCS)
• Write access to write Compute Engine logs
• Write access to publish metric data to your Google Cloud projects
• Read-only access to Service Management features required for Google Cloud Endpoints
• Read/write access to Service Control features required for Google Cloud Endpoints

All Kubernetes pods running within the cluster will inherit these credentials by default when contacting other Google Cloud services as the network packets all appear to originate from the VM IP, not the pod IP.
The “Compute Engine” default service account does a good job at using the principle of least privilege but, if you want to communicate with a service beyond the default scopes, you will need to provide your own service account credentials.

User Story:
As a developer working on the ClimateTrax project, I need to ensure that the GKE pods have the necessary permissions to write data to a designated Google Cloud Storage (GCS) bucket. Currently, the default cluster credentials do not provide the required write access to the bucket. To address this, I will create a dedicated service account (SA) with the appropriate write permissions for the specific GCS bucket. This service account will be used when communicating with the GCS APIs to ensure seamless data writing and retrieval.

Acceptance Criteria:

• Given the need to enable GKE pods to write to a GCS bucket, I will create a new service account in the Google Cloud Console.
• The service account will be granted the necessary IAM roles and permissions to ensure write access to the specified GCS bucket. These permissions will include the ability to create, modify, and delete objects within the bucket.
• I will generate a JSON key file for the service account, which will be used to authenticate and authorize communication between the GKE pods and the GCS APIs.
• In the ClimateTrax GKE deployment configuration, I will update the relevant environment variables to include the path to the JSON key file for the newly created service account.
• I will ensure that the GKE pods are utilizing the correct service account and that the necessary credentials are available for seamless authentication with the GCS APIs.
• To verify successful implementation, I will deploy the updated ClimateTrax application to the GKE cluster and confirm that the pods are able to write data to the designated GCS bucket without encountering permission errors.
• I will document the steps taken, including the creation of the service account, granting of permissions, and configuration updates, for future reference and collaboration among team members.