Create a Cross-Account Service Account
This page describes how to create and configure a cross-account service account for Zilliz Cloud to bootstrap your project data plane. This service account grants Zilliz Cloud the necessary permissions to manage VPC resources on your behalf.
Zilliz BYOC is currently available in General Availability. For access and implementation details, please contact Zilliz Cloud sales.
Procedures
You can use the Google Cloud Platform (GCP) dashboard to create the EKS role. Alternatively, you can use the Terraform script Zilliz Cloud provides to bootstrap the infrastructure for your Zilliz Cloud project on GCP. For details, refer to Terraform Provider.
Step 1: Create a service account
In this step, you will create a service account for Zilliz Cloud to manage VPC resources on your behalf and paste the service account email address back to Zilliz Cloud console.
The steps for creating a service account are as follows:
-
On the GCP console, find and click IAM & Admin.
-
Choose Service Accounts on the left navigation pane.
-
Click Create service account.
-
Set a proper name for the service account to create.
In this demo, you can set it to
your-org-cross-account-sa. The service account ID is the first 18 characters of the service account name. You can manually set it to a proper value. -
Click Create and continue.
-
Keep the default settings for Permissions and Principals.
-
Click Done.
Step 2: Grant permissions
In this step, you will assign permissions to the service account created above by linking several roles to the service account.
Create an instance group manager custom role
You will create an instance group manager custom role and assign the custom role to the service account created above so that the service account has the minimum required permissions to manage GKE nodes.
The steps for creating the instance group manager custom role are as follows:
-
On the GCP console, find and click IAM & Admin.
-
Choose Roles from the left navigation pane.
-
Click Create role.
-
Set a title and description for the custom role to create.
-
Change Role launch stage from Alpha to General Availability.
-
Click Add permissions. The permissions to add in this step are as follows:
-
compute.instanceGroupManagers.get
-
compute.instanceGroupManagers.update
-
-
Click Create.
Create an IAM custom role
You will create an IAM custom role and assign the custom role to the service account created above so that the service account has the minimum required permissions to manage IAM policies.
The steps for creating a custom role are as follows:
-
On the GCP console, find and click IAM & Admin.
-
Choose Roles from the left navigation pane.
-
Click Create role.
-
Set a title and description for the custom role to create.
-
Change Role launch stage from Alpha to General Availability.
-
Click Add permissions. The permissions to add in this step are as follows:
-
iam.serviceAccounts.getIamPolicy
-
iam.serviceAccounts.setIamPolicy
-
-
Click Create.
Assign roles to the service account
You will assign the custom role created above with several GCP-managed roles to the cross-account service account.
The steps for assigning roles to the cross-account service account are as follows:
-
On the GCP console, find and click IAM & Admin.
-
On the IAM page, click Grant access.
-
Select the cross-account service account created in the previous step in the Grant access pane that moves inward.
-
Add the custom roles created in the previous steps and several GCP-managed roles to the service account.
The following table lists the roles to be assigned to the service account.
Role
Type
Condition
Custom
resource.name.extract("projects/{name}").startsWith("PROJECT_ID") &&resource.name.extract("zones/{name}").startsWith("REGION") &&resource.name.extract("instanceGroupManagers/{name}").startsWith("gke-CLUSTER_NAME")Custom
api.getAttribute("iam.googleapis.com/modifiedGrantsByRole", []).hasOnly(["roles/iam.workloadIdentityUser"])Kubernetes Engine Admin
GCP-managed
N/A
Storage Object Viewer
GCP-managed
resource.name.startsWith("projects/_/buckets/YOUR_BUCKET_NAME")📘NotesYou need to replace the three placeholders in the above expression with actual values:
PROJECT_ID
This should be your GCP project ID.
REGION
This should be the cloud region of your BYOC project.
CLUSTER_NAME
This should be the name of the GKE cluster that Zilliz Cloud will create on your behalf.
YOUR_BUCKET_NAME
This should be the name of the bucket created in the previous step.
-
Click Save.
Grant access to other service accounts
You will grant the cross-account service account created in the previous step access to several other service accounts.
Follow the steps below to grant the cross-account service account access to these service accounts.
-
On the GCP console, find and click Service Account.
-
Find and click one of the above-mentioned service accounts to view its details.
Description
your-org-gke-node-saThis service account is created in this step.
This service account is automatically created when you enable the Compute Engine API.
📘NotesYou need to replace
your-org-gke-node-sawith the actual name of the GKE service account created in Create GKE Service Account.You need to replace
PROJECT_NUMBERwith your own GCP project number.
-
Switch to the Principals with access tab and click Grant access.
-
Enter the cross-account service account created in the previous step in Add principals > New principals.
-
Select Service Account User in Assign roles > Role.
Impersonate Zilliz Cloud's service account
You will have the cross-account service account to impersonate Zilliz Cloud's service account provided on the Zilliz Cloud console.
The steps for impersonating the service account that Zilliz Cloud provides are as follows:
-
On the Zilliz Cloud console, copy the service account Zilliz Cloud provides.
-
Go to the GCP console, find and click IAM & Admin.
-
Choose Service Accounts in the left navigation pane.
-
Filter your cross-account service account and click its name to view its details.
-
Switch to the Principals with access tab and click Grant access.
-
Paste the service account copied from the Zilliz Cloud console in Add principals > New principals.
-
Select Service Account Token Creator in Assign roles > Role.
-
Click Save.