UC Berkeley JupyterHubs
Service accounts are identified by a service key, and help us grant
specific access to an automated process. Our CI process needs two service accounts to operate:
A gcr-readwrite key. This is used to build and push the user images.
Based on the docs,
this is assigned the role roles/storage.admin.
A gke key. This is used to interact with the Google Kubernetes cluster.
Roles roles/container.clusterViewer and roles/container.developer are
granted to it.
These are currently copied into the secrets/ dir of every deployment, and
explicitly referenced from hubploy.yaml in each deployment. They should
be rotated every few months.
You can create service accounts
through the web console or the commandline. Remember to not leave around copies
of the private key elsewhere on your local computer!