Cloud Credentials
Google Cloud
Service Accounts
Service accounts are identified by a service key, and help us grant specific access to an automated process. Our CI process needs two service accounts to operate:
- A
gcr-readwritekey. This is used to build and push the user images. Based on the docs, this is assigned the roleroles/storage.admin. - A
gkekey. This is used to interact with the Google Kubernetes cluster. Roles roles/container.clusterViewer and roles/container.developer are granted to it.
These are currently copied into the secrets/ dir of every deployment, and explicitly referenced from hubploy.yaml in each deployment. They should be rotated every few months.
You can create service accounts through the web console or the commandline. Remember to not leave around copies of the private key elsewhere on your local computer!