Skip to content
Kannika

Google Cloud Platform

This page describes the authentication options for Google Cloud Platform (GCP).

The following authentication options are available:

GCP Credentials

Section titled “GCP Credentials”

GCP credentials are defined in the .spec.gcp field of the Credentials resource.

It can be used in combination with the following resources:

Service Account Keys

Section titled “Service Account Keys”

To configure GCP credentials, you must create Credentials resource that has the .spec.gcp object set.

apiVersion: kannika.io/v1alpha
kind: Credentials
metadata:
  name: gcp-creds
spec:
  gcp:
    description: "user@project.iam.gserviceaccount.com" # Optional description
    serviceAccountJsonFrom:
      secretKeyRef:
        name: gcp-sa  # Reference to below Secret
        key: contents # Key in the Secret

And here is the corresponding secret:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: gcp-sa
data:
  contents: |
    <base64-encoded service account file (JSON)>

You can then use these Credentials in a Backup or a Restore.

IAM Service Account Authentication

Section titled “IAM Service Account Authentication”

A Kubernetes ServiceAccount (SA) can be attached to provide a specific identity to the processes running within the pods.

This configuration is primarily used to enable Workload Identity, where the Kubernetes ServiceAccount is mapped to a cloud provider IAM role. This mechanism allows pods to securely access external systems, such as cloud storage, without the need for managing static secrets or credentials. 

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  annotations:
    iam.gke.io/gcp-service-account: my-service-account@my-project.iam.gserviceaccount.com

Then on the Armory resource, configure the service account.

apiVersion: io.kannika/v1alpha
kind: Backup
metadata:
  name: backup
spec:
  source: "kafka"
  sink: "storage"
  serviceAccountName: "my-service-account"