Reputation: 4084
How to get IAM/service account used by juicefs to access GCS in GKE?
I'm using a juicefs-csi in GKE. I use postgre as meta-store and GCS as storage. The corresponding setting is as follow:
node:
# ...
storageClasses:
- name: juicefs-sc
enabled: true
reclaimPolicy: Retain
backend:
name: juicefs
metaurl: postgres://user:password@my-ec2-where-postgre-installed.ap-southeast-1.compute.amazonaws.com:5432/the-database?sslmode=disable
storage: gs
bucket: gs://my-bucket
# ...
According to this documentation, I don't have to specify access key/secret (like in S3).
But unfortunately, whenever I try to write anything to the mounted volume (with juicefs-sc storage class), I always get this error:
AccessDeniedException: 403 Caller does not have storage.objects.create access to the Google Cloud Storage object.
I believe it should be related to IAM role.
My question is, how could I know which IAM user/service account is used by juicefs to access GCS, so that I can assign a sufficient role to it?
Thanks in advance.
EDIT
Step by step:
- Download juicefs-csi helm chart
- Add values as described in the question, apply
- Create a pod that mount from PV with
juicefs-scstorage class - Try to read/write file to the mount point
Upvotes: 2
Views: 578
Answers (1)
Reputation: 14102
Ok I misunderstood you at the beginning.
When you are creating GKE cluster you can specify which GCP Service Account will be used by this cluster, like below:
By Default it's Compute Engine default service account ([email protected]) which is lack of a few Cloud Product permissions (like Cloud Storage, it has Read Only). It's even described in this message.
If you want to check which Service Account was set by default to VM, you could do this via
Compute Engine > VM Instances > Choose one of the VMs from this cluster > In details find API and identity management
So You have like 3 options to solve this issue:
1. During Cluster creation
In Node Pools > Security, you have Access scopes where you can add some additional permissions.
Allow full access to all Cloud APIsto allow access for all listed Cloud APIsSet access for each API
In your case you could just use Set access for each API and change Storage to Full.
2. Set permissions with a Service Account
You would need to create a new Service Account and provide proper permissions for Compute Engine and Storage. More details about how to create SA you can find in Creating and managing service accounts.
3. Use Workload Identity
Workload Identity on your Google Kubernetes Engine (GKE) clusters. Workload Identity allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM) service accounts to access Google Cloud services.
For more details you should check Using Workload Identity.
Useful links
- Configuring Velero - Velero is software for backup and restore, however steps 2 and 3 are mentioned there. You would just need to adjust commands/permissions to your scenario.
- Authenticating to Google Cloud with service accounts
Upvotes: 1
Related Questions
- GCS read write access from the GKE Pod without credentials/auth
- Pods in GKE return "error looking up service account" - how to correctly use a GCP service account in GKE?
- What Service Account Does GKE Use to Access GCR
- How to change service account for GKE nodes?
- GCS write access from inside a GKE pod
- Passing GCP service account key to GKE pods
- Unable to access Google Cloud Storage from Google Kubernetes Engine using default service account and google cloud libraries
- Using GKE service account credentials with kubectl
- Accessing Kubernetes API in GKE using service accounts
- Login to GKE via service account with token