Service accounts are identified by a service key, and help us grant specific access to an automated process. Our CI process needs two service accounts to operate:
gcr-readwritekey. This is used to build and push the user images. Based on the docs, this is assigned the role
gkekey. This is used to interact with the Google Kubernetes cluster. Roles roles/container.clusterViewer and roles/container.developer are granted to it.
These are currently copied into the
secrets/ dir of every deployment, and
explicitly referenced from
hubploy.yaml in each deployment. They should
be rotated every few months.
You can create service accounts through the web console or the commandline. Remember to not leave around copies of the private key elsewhere on your local computer!