Configuring service accounts

As a cloud administrator, you can leverage the Google Cloud Platform (GCP) plug-in to create service accounts using templates in Automation Assembler. You can attach the service account to a GCP resource to ensure that resource can only be accessed through the service account.

Important: VMware Aria Automation currently supports attaching service accounts to storage bucket resources.

Service account properties

The following properties are required to provision service account resources.


Property	Description
`name`	The resource name of the service account.
`account`	The GCP cloud account for account regions to which your team deploys cloud templates. See Create a Google Cloud Platform cloud account in VMware Aria Automation for more information.
`account_id`	The account ID that is used to generate the service account email address. It must be between 6 and 30 characters. You cannot change the service account name after provisioning.

Service account key properties

You must create a service account key to access the GCP resource that is associated with the service account.

The following properties are required to provision service account keys.


Property	Description
`name`	The resource name of the service account.
`account`	The GCP cloud account for account regions to which your team deploys cloud templates. See Create a Google Cloud Platform cloud account in VMware Aria Automation for more information.
`service_account_id`	The account resource ID used to create a service key.

After you successfully create the service account key, you can copy it and store it in a JSON file. To copy the service account key:

In Automation Assembler, select Resources > Deployments, and locate your deployment.
On the Topology tab, select the service account key.
Open the Attributes section, and find the private_key_data property.
Copy the service account key immediately after a successful deployment.
Make sure that you store the service account key in a secure location.

Provisioning a service account with a storage bucket

The following template shows how you might provision a service account with a storage bucket. In this example, you create a storage bucket, a service account, and a service account key.

To ensure that the storage bucket can only be accessed through the associated service account, you use the acl property in the cloud template. This property is used to set access controls on the storage bucket resource. See the Google Cloud REST documentation for more information about bucket access controls.

formatVersion: 1
inputs: {}
resources:
  key_owner:
    type: Idem.GCP.IAM.SERVICE_ACCOUNT_KEY
    dependsOn:
      - owner
    properties:
      name: owner
      account: gcp
      service_account_id: ${resource.owner.resource_id}
  owner:
    type: Idem.GCP.IAM.SERVICE_ACCOUNT
    properties:
      name: sa-1
      account: gcp
      account_id: sa-bucket-owner
  bucket:
    type: Idem.GCP.STORAGE.BUCKET
    dependsOn:
      - owner
    properties:
      name: bucket-1
      account: gcp
      acl:
        - entity: user-${resource.owner.email}
          role: OWNER