Skip to content
Kannika

Google Cloud Platform

This page describes the authentication options for Google Cloud Platform (GCP).

The following authentication options are available:

GCP Credentials

Section titled “GCP Credentials”

GCP credentials are defined in the .spec.gcp field of the Credentials resource.

It can be used in combination with the following resources:

Service Account Keys

Section titled “Service Account Keys”

To configure GCP credentials, you must create Credentials resource that has the .spec.gcp object set.

apiVersion: kannika.io/v1alpha
kind: Credentials
metadata:
  name: gcp-creds
spec:
  gcp:
    description: "user@project.iam.gserviceaccount.com" # Optional description
    serviceAccountJsonFrom:
      secretKeyRef:
        name: gcp-sa  # Reference to below Secret
        key: contents # Key in the Secret

And here is the corresponding secret:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: gcp-sa
data:
  contents: |
    <base64-encoded service account file (JSON)>

You can then use these Credentials in a Backup or a Restore.

IAM Service Account Authentication

Section titled “IAM Service Account Authentication”

It is possible to attach a Kubernetes ServiceAccount (SA) to a Backup Pod or to a Restore Pod. A ServiceAccount is used to provide an identity for processes that run in a Pod. The identity is used to determine what resources the process has access to.

This is useful when the Kubernetes cluster runs on a cloud provider that supports Workload Identity, where the ServiceAccount is mapped to an IAM role that has the necessary permissions to access the external system.

Please check the Backup Pod Configuration and the Restore Pod Configuration sections on how to attach a ServiceAccount.