As a cloud administrator, you can leverage the Google Cloud Platform (GCP) plug-in to create service accounts using templates in Automation Assembler. You can attach the service account to a GCP resource to ensure that resource can only be accessed through the service account.
Service account properties
The following properties are required to provision service account resources.
Property | Description |
---|---|
name |
The resource name of the service account. |
account |
The GCP cloud account for account regions to which your team deploys cloud templates. See Create a Google Cloud Platform cloud account in VMware Aria Automation for more information. |
account_id |
The account ID that is used to generate the service account email address. It must be between 6 and 30 characters. You cannot change the service account name after provisioning. |
Service account key properties
You must create a service account key to access the GCP resource that is associated with the service account.
The following properties are required to provision service account keys.
Property | Description |
---|---|
name |
The resource name of the service account. |
account |
The GCP cloud account for account regions to which your team deploys cloud templates. See Create a Google Cloud Platform cloud account in VMware Aria Automation for more information. |
service_account_id |
The account resource ID used to create a service key. |
After you successfully create the service account key, you can copy it and store it in a JSON file. To copy the service account key:
- In Automation Assembler, select , and locate your deployment.
- On the Topology tab, select the service account key.
- Open the Attributes section, and find the
private_key_data
property. - Copy the service account key immediately after a successful deployment.
Make sure that you store the service account key in a secure location.
Provisioning a service account with a storage bucket
The following template shows how you might provision a service account with a storage bucket. In this example, you create a storage bucket, a service account, and a service account key.
To ensure that the storage bucket can only be accessed through the associated service account, you use the acl
property in the cloud template. This property is used to set access controls on the storage bucket resource. See the Google Cloud REST documentation for more information about bucket access controls.
formatVersion: 1 inputs: {} resources: key_owner: type: Idem.GCP.IAM.SERVICE_ACCOUNT_KEY dependsOn: - owner properties: name: owner account: gcp service_account_id: ${resource.owner.resource_id} owner: type: Idem.GCP.IAM.SERVICE_ACCOUNT properties: name: sa-1 account: gcp account_id: sa-bucket-owner bucket: type: Idem.GCP.STORAGE.BUCKET dependsOn: - owner properties: name: bucket-1 account: gcp acl: - entity: user-${resource.owner.email} role: OWNER