Replace workload identity with workload identity federation - Githubissues

GoogleCloudPlatform / microservices-demo

Sample cloud-first application with 10 microservices showcasing Kubernetes, Istio, and gRPC.

https://cymbal-shops.retail.cymbal.dev

Apache License 2.0

16.29k stars 6.82k forks source link

Replace workload identity with workload identity federation #2451

Open NimJay opened 3 months ago

NimJay commented 3 months ago

Describe request or inquiry

We can now bind Google Cloud IAM roles directly to Kubernetes ServiceAccount — instead of using Google Service Accounts as a link between the roles and Kubernetes ServiceAccount.
We do this through a feature called Workload identity federation.

What purpose/environment will this feature serve?

This impacts everything that uses Workload Identity — the AlloyDB Kustomize component, the Google Cloud Observability Kustomize component, the Spanner Kustomize component, etc.

mathieu-benoit commented 3 months ago

Simplifying a lot the setup of the KSA/GSA, etc. indeed!

JFYI: I just updated this blog post with this new approach with Online Boutique and Spanner: https://medium.com/p/f7248e077339, just sharing! ;)