To allow your GKE cluster to access secrets, you must create a service account.

### Managed identity - Create service account

Create the following service account to enable the GKE cluster to access secrets.

1. Create the service account.

>```sh
> gcloud iam service-accounts create external-secrets-sa --display-name="External Secrets >Service Account"
>```

2. Grant permissions to the newly created service account:

>```sh
>gcloud projects add-iam-policy-binding [project_id] \
>  --member="serviceAccount:external-secrets-sa@[project_id].iam.gserviceaccount.com" \
>  --role="roles/secretmanager.secretAccessor"
>```

3. Generate a key file from the service account created in the previous step above:

>```sh
>gcloud iam service-accounts keys create keyfile.json \
>  --iam-account="external-secrets-sa@[project_id].iam.gserviceaccount.com"
>```

>**Note:** the secret below [gcp-secret] will be used during Step 7 to install `cdrplatform-external-secrets`.

4. Create a Kubernetes secret from the contents of the key file created above:

>```sh
>kubectl create secret generic gcp-secret --from-file=keyfile.json
>```

* * *


<!-- markdownlint-disable MD033 -->
<div
  class="text--center margin-top--lg"
  style={{ display: "flex", justifyContent: "center", gap: "12px" }}
>
  <a href="/halo/gke-step-4" class="button button--primary button--lg">
    Continue
  </a>

  <a href="https://www.glasswall.com/support" class="button button--primary button--lg">
    Need help?
  </a>
</div>
<!-- markdownlint-enable MD033 -->