-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement GCE application default credentials #416
Implement GCE application default credentials #416
Conversation
* The `zone` parameter is optional, and configures the driver to *only* allow | ||
access to the given zone. Creating and listing disks from other zones will be | ||
denied. If a zone is not specified, the zone from the client Instance ID will | ||
be used when creating new disks. | ||
* The `defaultDiskType` parameter is optional, and specified what type of disk | ||
* The `defaultDiskType` parameter is optional, and specifies what type of disk |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @codenrhoden,
This should omit the comma as follows:
The
defaultDiskType
parameter is optional and specifies what type of disk
The secondary part of the sentence is not a sentence on its own and thus a conjunctive comma is inappropriate.
Engine default service account, create a new service account with the Service | ||
Account Actor role, and create/download a new private key in JSON format. see | ||
[creating a service account](https://developers.google.com/identity/protocols/OAuth2ServiceAccount#creatinganaccount) | ||
* The libStorage server must be running on a GCE instance created with a Service |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @codenrhoden,
@cantbewong suggested the following change:
The libStorage server must be running on a GCE instance created with a Service Account with appropriate permissions, or a Service Account credentials file in JSON format must be supplied. If not using the Compute Engine default Service Account with the Cloud Platform/"all cloud APIs" scope, create a new Service Account via the IAM portal (Service accounts tab). This Service Account requires the Compute Engine/Instance Admin, Compute Engine/Storage Admin, and Project/Service Account Actor roles. Then create/download a new private key in JSON format. see creating a service account for details. Also note that if permissions on a service account are edited, an instance must be restarted to have them take effect.
I'm noting a change to Steve's suggestion:
The REX-Ray service must be restarted in order for permissions changes on a service account to take effect.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, agree with @akutz
Codecov Report
@@ Coverage Diff @@
## release/0.5.0 #416 +/- ##
=================================================
+ Coverage 30.44% 30.49% +0.05%
=================================================
Files 29 29
Lines 1741 1741
=================================================
+ Hits 530 531 +1
+ Misses 1153 1152 -1
Partials 58 58
Continue to review full report at Codecov.
|
8be4156
to
0bc6491
Compare
Suggestions implemented. I linked directly to the Service Accounts page within the IAM portal instead of telling you to navigate there. I also mentioned restarting libStorage instead of REX-Ray -- I try not to reference REX-Ray from libStorage docs. |
0bc6491
to
3330db5
Compare
Enhance the GCEPD driver by adding support for application default credentials. With this patch, A user no longer has to upload or provide a JSON encoded file with service account credentials, as the GCE client library will automatically fetch any service account credentials associated with the GCE instances via the metadata server. Improve docs to clarify what permissions are required of a service account, regardless of whether you are providing it via JSON or metadata lookup.
3330db5
to
5f8d7e2
Compare
LGTM |
Enhance the GCEPD driver by adding support for application default
credentials. With this patch, A user no longer has to upload or provide
a JSON encoded file with service account credentials, as the GCE client
library will automatically fetch any service account credentials
associated with the GCE instances via the metadata server.
Improve docs to clarify what permissions are required of a service
account, regardless of whether you are providing it via JSON or
metadata lookup.