Step 3 - Enable your GKE cluster to access Secrets
To allow your GKE cluster to access secrets, you must create a service account.
Managed identity - Create service account
Create the following service account to enable the GKE cluster to access secrets.
- Create the service account.
gcloud iam service-accounts create external-secrets-sa --display-name="External Secrets >Service Account"
- Grant permissions to the newly created service account:
gcloud projects add-iam-policy-binding [project_id] \
--member="serviceAccount:external-secrets-sa@[project_id].iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor"
- Generate a key file from the service account created in the previous step above:
gcloud iam service-accounts keys create keyfile.json \
--iam-account="external-secrets-sa@[project_id].iam.gserviceaccount.com"
Note: the secret below [gcp-secret] will be used during Step 7 to install
cdrplatform-external-secrets.
- Create a Kubernetes secret from the contents of the key file created above:
kubectl create secret generic gcp-secret --from-file=keyfile.json