forked from fabianlee/gcloud-kubectl-workload-identity
-
Notifications
You must be signed in to change notification settings - Fork 0
/
create-gcloud-user-GSA.sh
executable file
·105 lines (85 loc) · 3.5 KB
/
create-gcloud-user-GSA.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/bin/bash
#
# script that creates GKE service account "gcloud-user"
#
# if gcloud functions are slow, you may need to disable ipv6 temporarily
# permanent changes would need to go into /etc/sysctl.conf
# sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
# sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
# sudo sysctl -p /etc/sysctl.conf
#
# creates service account if one does not exist
function create_svc_account() {
project_id="$1"
name="$2"
descrip="$3"
accountExists=$(gcloud iam service-accounts list --filter="name ~ ${name}@" | wc -l)
if [ $accountExists == 0 ]; then
echo "Going to create service account '$name' in project_id $project_id"
gcloud iam service-accounts create $name --display-name "$descrip" --project=$project_id
echo "going to sleep for 30 seconds to wait for eventual consistency of service account creation..."
sleep 30
else
echo "The service account $name is already created in project_id $project_id"
fi
# download key if just created or local json does not exist
if [[ $accountExists == 0 || ! -f $name.json ]]; then
svcEmail=$(get_email $project_id $name)
echo "serviceAccountEmail: $svcEmail"
keyCount=$(gcloud iam service-accounts keys list --iam-account $svcEmail | wc -l)
# create key if necessary
# normal count of lines is 2 (because output has header and gcp has its own managed key)
if [ $keyCount -lt 3 ]; then
echo "going to create/download key since key count is less than 3"
gcloud iam service-accounts keys create $name.json --iam-account $svcEmail
else
echo "SKIP key download, there is already an existing key and it can only be downloaded upon creation"
echo "delete the key manually from console.cloud.google.com if you need it rerecreated"
fi
fi
}
function get_email() {
project_id="$1"
account_name="$2"
svcEmail=$(gcloud iam service-accounts list --project=$project_id --filter="name ~ ${account_name}@" --format="value(email)")
echo $svcEmail
}
function assign_role() {
project_id="$1"
account_name="$2"
roles="$3"
svcEmail=$(get_email $project_id $account_name)
echo "serviceAccountEmail: $svcEmail"
savedIFS=$IFS
IFS=' '
for role in $roles; do
set -ex
gcloud projects add-iam-policy-binding $project_id --member=serviceAccount:$svcEmail --role=$role > /dev/null
set +ex
done
IFS=$savedIFS
}
############## MAIN #########################################
project_id="$1"
if [[ -z "$project_id" ]]; then
echo "Usage: projectid"
exit 1
fi
echo "project id: $project_id"
gcloud config set project $project_id
account_name="gcloud-user"
echo "creating account for $account_name"
create_svc_account $project_id $account_name "gcloud user"
# roles/container.clusterViewer (cluster get and list)
# roles/container.viewer (read access withing clusters)
# roles/compute.viewer (read only vms, disks)
# roles/compute.networkViewer (read only)
# roles/iam.workloadIdentityUser (for workload identity https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
assign_role $project_id $account_name "roles/container.clusterViewer roles/container.viewer roles/compute.viewer roles/compute.networkViewer roles/iam.workloadIdentityUser"
# show all roles for this account
sleep 10
echo "Going to show all roles for $svcEmail"
svcEmail=$(get_email $project_id $account_name)
echo ""
echo "show '$svcEmail' roles"
gcloud projects get-iam-policy $project_id --flatten="bindings[].members" --filter="bindings.members=serviceAccount:$svcEmail" --format="value(bindings.role)"