The user for the Google Service Account that has to be created has to have three roles:
A Google Service Account for the platform has to be created, see Creating and managing service accounts. The result is a JSON file containing the fields
The private key is BASE64 containing the newlines as non-escaped strings “\n”. So to avoid the resulting troubles the machine controller expects the whole service account encoded in BASE64.
The service account will passed in the field
serviceAccount of the
cloudProviderSpec. If unset the environment variable
will be taken.