1

I am working on a Kubernetes CronJob in GKE to export SQL databases from GCP Cloud SQL. I have a single GCP Cloud SQL instance whose Google service account is p848827672298-eef1pd@gcp-sa-cloud-sql.iam.gserviceaccount.com. If I add to this service account the permission to access and create bucket objects, running the gcloud sql export sql ... command works: the database is exported to my bucket.

However, what I want to do is use Workload Identity to bind a Kubernetes service account to the p848827... Google service account so that the CronJob can export the Cloud SQL database to my bucket. I try to do this by running this command:

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[K8_NAMESPACE/K8_SERVICE_ACCOUNT]" \
  p848827672298-eef1pd@gcp-sa-cloud-sql.iam.gserviceaccount.com

(Of course, I replaced PROJECT_ID, K8_NAMESPACE, and K8_SERVICE_ACCOUNT with the appropriate values for my project.)

This results in

ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) NOT_FOUND: Service account projects/PROJECT_ID/serviceAccounts/p848827672298-eef1pd@gcp-sa-cloud-sql.iam.gserviceaccount.com does not exist.

How do I bind the Cloud SQL service account to my Kubernetes service account?

rlandster
  • 7,294
  • 14
  • 58
  • 96

1 Answers1

1

Hope your API enabled, please trying disabling and enabling API once faced once similar issue and worked: gcloud services enable compute.googleapis.com https://dzone.com/articles/enabling-gke-workload-identity

If you have a serviceaccount JSON file you can directly inject it to POD also as volume mount secret also.

kubectl create secret generic echo --from-file service-account.json

Now suppose you are deploying the application with the secret injection

apiVersion: apps/v1
kind: Deployment
metadata:
  name: echo
  labels:
    app: echo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: echo
  template:
    metadata:
      labels:
        app: echo
      name: echo
    spec:
      containers:
        - name: echo
          image: "gcr.io/hightowerlabs/echo"
          env:
            - name: "GOOGLE_APPLICATION_CREDENTIALS"
              value: "/var/run/secret/cloud.google.com/service-account.json"
            - name: "PROJECT_ID"
              valueFrom:
                configMapKeyRef:
                  name: echo
                  key: project-id
            - name: "TOPIC"
              value: "echo"
          volumeMounts:
            - name: "service-account"
              mountPath: "/var/run/secret/cloud.google.com"
            - name: "certs"
              mountPath: "/etc/ssl/certs"
      volumes:
        - name: "service-account"
          secret:
            secretName: "echo"
        - name: "certs"
          hostPath:
            path: "/etc/ssl/certs"

Example : https://github.com/kelseyhightower/gke-service-accounts-tutorial#google-cloud-service-accounts-with-google-container-engine-gke---tutorial

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
  • When I ran the command I _did_ replace the parameters in all-caps with the correct values for my project. When posting my question I used generic strings to more clearly indicate what is supposed to go there. – rlandster Sep 12 '21 at 17:57
  • Also please check once : https://stackoverflow.com/questions/44788915/unable-to-provision-k8s-from-gcloud-account-does-not-exist/60247423#60247423 – Harsh Manvar Sep 12 '21 at 18:02