GCP

Prerequisites #

To manage any Cloud Account using the instructions below, you need:

• The humctl CLI installed.

• These environment variables set:

  export HUMANITEC_ORG=<your-humanitec-org-id>
  export HUMANITEC_TOKEN=<humanitec-access-token>
  

GCP Service account keys #

Credentials: static

Create the Cloud Account #

1. Create a GCP service account which will be used by the Humanitec Platform Orchestrator.

   export SERVICE_ACCOUNT_NAME="humanitec-sa"
   gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME \
     --description="Used by Humanitec Platform Orchestrator" \
     --display-name=$SERVICE_ACCOUNT_NAME
   
   export SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list --filter="displayName:$SERVICE_ACCOUNT_NAME" --format=json | jq -rM '.[0].email')
   
   gcloud iam service-accounts keys create key.json \
       --iam-account=$SERVICE_ACCOUNT_EMAIL
   

   Export the values needed for the Cloud Account:

   export SERVICE_ACCOUNT_KEY=$(cat ./key.json)
   rm ./key.json
   

2. Create a Cloud Account in the Platform Orchestrator.

   Define the name and id of the new Cloud Account:

   export CLOUD_ACCOUNT_NAME="My GCP Cred Account"
   export CLOUD_ACCOUNT_ID=my-gcp-cred
   

   If you haven’t already done so (see Prerequisites), define these environment variables:

   export HUMANITEC_ORG=<your-humanitec-org-id>
   export HUMANITEC_TOKEN=<humanitec-access-token>
   

   Create the Cloud Account:

   • CLI
   • Terraform

   humctl api post /orgs/${HUMANITEC_ORG}/resources/accounts \
   -d '{
       "name": "'"${CLOUD_ACCOUNT_NAME}"'",
       "id": "'"${CLOUD_ACCOUNT_ID}"'",
       "type": "gcp",
       "credentials": '"${SERVICE_ACCOUNT_KEY}"'
   }
   '
   

   Using the Humanitec Terraform Provider:

   resource "humanitec_resource_account" "gcp" {
     id          = var.cloud_account_id
     name        = var.cloud_account_name
     type        = "gcp"
     credentials = jsonencode(var.service_account_key)
   }
   

   Inside the API, Cloud Accounts are called Resource Accounts, both represent the same entity.

3. Assign the required roles to Service Account.

   The Cloud Account is now ready for use by any Drivers supporting the gcp Account type. Remember to assign the required permissions to the Service Account on the target GCP services depending on the kind of operations it needs to perform.

Example: connect to an GKE cluster #

This example Resource Definition uses the GKE cluster Driver to connect to an GKE cluster. It includes a Cloud Account of type gcp via the driver_account setting. The Cloud Account credentials will be automatically picked up by the Driver with no further configuration required.

gke-static-credentials-cloudaccount.yaml (view on GitHub) :

# Connect to a GKE cluster using static credentials defined via a Cloud Account
apiVersion: entity.humanitec.io/v1b1
kind: Definition
metadata:
  id: gke-static-credentials-cloudaccount
entity:
  name: gke-static-credentials-cloudaccount
  type: k8s-cluster
  # The driver_account references a Cloud Account of type "gcp"
  # which needs to be configured for your Organization.
  driver_account: gcp-static-creds
  driver_type: humanitec/k8s-cluster-gke
  driver_inputs: 
    values: 
      loadbalancer: 35.10.10.10
      name: demo-123
      zone: europe-west2-a
      project_id: my-gcp-project