Local development without using google service account key

0
votes

Is it possible to do local development without using google service account key in minikube. Currently I have a service account key which I use to authenticate google services inside the pod in minikube.

I want to avoid using service account key and instead use IAM role.

Iam User - [email protected] 
I am given required role/permission to this iam user.

After using gcloud auth login, I can access the google services. Is it possible to do similar way in k8s/minikube pods.

2
google-cloud-platformminikube
In effect, gcloud auth login generates an OAuth token in a similar way to a service account but with different security and auditing. The important detail is what do you want to do after you have a token. Google prefers (and enforces via quotas) API calls with user credentials (gcloud auth login). Edit your question with additional details.John Hanley

2 Answers

2
votes

I think that you can cheat. Use it only for development environment, never in production

  • Firstly, locate your own user credentials created with the gcloud auth application-default login. The created file is
    • on linux ~/.config/gcloud/application_default_credentials.json
    • on windows %appdata%\gcloud\application_default_credentials.json
  • Then mount this file (or copy it) into minikube
  • You can define your GOOGLE_APPLICATION_CREDENTIALS env var to reference this file.

That's all, your credential will be used! Be careful, there is some limitation, I wrote an article on this

1
votes

I think you are mixing things up. You can never use a key instead of a role. In most cases, you need both of them. You need a key to authenticate to the Google Cloud Platform. And you need a certain IAM role to access services within GCP. Authentication means confirming your own identity, whereas authorization means being allowed access to the system.

In your specific case, I think you are referring to the process of letting your application/code use your own identity to authentication to the Google Cloud Platform. There are 2 possibilities here:

  1. Download a service account key file, which is prone to security leaks, because those key files are not rotated by themselves.

  2. As @guillaume blaquiere explains below, you could also generate a key file using your own identity. The specifics about this are well explained here and here. For local development, this is preferred over the other option.

If you want to know how your SDK works with key files, I would recommend you take a look inside the SDK for the programming language you are using. There is always be a reference to GOOGLE_APPLICATION_CREDENTIALS. This is the location of the key file you are using.