From 60c244657c955ac0e5354e4f266d651ab0b125aa Mon Sep 17 00:00:00 2001 From: Melvin Zottola Date: Tue, 30 Jun 2026 14:44:01 +0200 Subject: [PATCH] feat(qov-1844) Add step to configure correctly service account cluster --- .../integrations/kubernetes/gke/managed.mdx | 28 +++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/docs/configuration/integrations/kubernetes/gke/managed.mdx b/docs/configuration/integrations/kubernetes/gke/managed.mdx index 944959a..3bdacc7 100644 --- a/docs/configuration/integrations/kubernetes/gke/managed.mdx +++ b/docs/configuration/integrations/kubernetes/gke/managed.mdx @@ -88,7 +88,6 @@ gcloud kms keys add-iam-policy-binding \ --member="serviceAccount:service-@compute-system.iam.gserviceaccount.com" \ --role="roles/cloudkms.cryptoKeyEncrypterDecrypter" ``` - `` - the GCP project ID of the project where your KMS key is stored (e.g. my-test-project) @@ -103,7 +102,32 @@ gcloud kms keys add-iam-policy-binding \ `` - the name of the KMS key (e.g. my-key) -#### Step 3 - Set your KMS key on cluster creation +#### Step 3 - Grant your cluster service account on your KMS key + + + This step is needed only for GKE clusters in a different project than the KMS key created + + +* Create dedicated role in your KMS Key project: + ```bash + gcloud iam roles create qovery-role-kms-get-iam-policy \ + --project= \ + --title="Qovery KMS Get IAM Policy" \ + --description="Allows reading IAM policy on KMS resources only" \ + --permissions=cloudkms.cryptoKeys.getIamPolicy \ + --stage=GA + ``` +* Grant your service account on your kms key with the new role: + ```bash + gcloud kms keys add-iam-policy-binding \ + --keyring= \ + --location= \ + --project= \ + --member="serviceAccount:" \ + --role="projects//roles/qovery-role-kms-get-iam-policy" + ``` + +#### Step 4 - Set your KMS key on cluster creation Enable the GKE KMS key option when creating your cluster: