Skip to content
Kannika

    Google Cloud Platform

    This page describes the authentication options for Google Cloud Platform (GCP).

    The following authentication options are available:

    GCP Credentials

    GCP credentials are defined in the .spec.gcp field of the Credentials resource.

    It can be used in combination with the following resources:

    Service Account Keys

    To configure GCP credentials, you must create Credentials resource that has the .spec.gcp object set.

    apiVersion: kannika.io/v1alpha
    kind: Credentials
    metadata:
      name: gcp-creds
    spec:
      gcp:
        description: "user@project.iam.gserviceaccount.com" # Optional description
        serviceAccountJsonFrom:
          secretKeyRef:
            name: gcp-sa  # Reference to below Secret
            key: contents # Key in the Secret

    And here is the corresponding secret:

    apiVersion: v1
    kind: Secret
    type: Opaque
    metadata:
      name: gcp-sa
    data:
      contents: |
        <base64-encoded service account file (JSON)>

    You can then use these Credentials in a Backup or a Restore.

    IAM Service Account Authentication

    It is possible to attach a Kubernetes ServiceAccount (SA) to a Backup Pod or to a Restore Pod. A ServiceAccount is used to provide an identity for processes that run in a Pod. The identity is used to determine what resources the process has access to.

    This is useful when the Kubernetes cluster runs on a cloud provider that supports Workload Identity, where the ServiceAccount is mapped to an IAM role that has the necessary permissions to access the external system.

    Please check the Backup Pod Configuration and the Restore Pod Configuration sections on how to attach a ServiceAccount.