search

ThreeDotsLabs / watermill

Building event-driven applications the easy way in Go.
https://watermill.io
MIT License
7.69k stars 406 forks source link

Any plans for supporting GKE Workload Identity for Google Pub/Sub #292

Open faraonc opened 2 years ago

faraonc commented 2 years ago

Overview

I was hoping I can leverage GKE Workload Identity instead of generating the service account keys via a JSON file.

I gave it a shot today, but it seems like GOOGLE_APPLICATION_CREDENTIALS is the only way to get it to work. I was hoping I can get away with something like assigning a serviceAccountName for my pod

How I expect to setup GKE Workload Identity with Google Pub/Sub

Create a topic

gcloud pubsub topics create example.topic

Create a service account for publisher called gcp-publisher-test in the default namespace

kubectl create serviceaccount --namespace default gcp-publisher-test

gcloud iam service-accounts create gcp-publisher-test

gcloud iam service-accounts add-iam-policy-binding \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:<PROJECT_ID>.svc.id.goog[default/gcp-publisher-test]" \
    gcp-publisher-test@<PROJECT_ID>.iam.gserviceaccount.com

kubectl annotate serviceaccount \
    --namespace default gcp-publisher-test iam.gke.io/gcp-service-account=gcp-publisher-test@<PROJECT_ID>.iam.gserviceaccount.com

gcloud pubsub topics add-iam-policy-binding example.topic \
  --member="serviceAccount:<PROJECT_ID>.svc.id.goog[default/gcp-publisher-test]" --role="roles/pubsub.publisher" 

gcloud pubsub topics add-iam-policy-binding example.topic \
  --member="serviceAccount:<PROJECT_ID>.svc.id.goog[default/gcp-publisher-test]" --role="roles/pubsub.viewer"

Create a Deployment or pod in the default namespace that uses the service account gcp-publisher-test

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: publisher
  name: gcp-publisher
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: publisher
  template:
    metadata:
      labels:
        app: publisher
    spec:
      serviceAccountName: gcp-publisher-test
      containers:
        - image:<some image that uses github.com/ThreeDotsLabs/watermill-googlecloud>
          name: publisher
      imagePullSecrets:
        - name: <some secrets>
arthurspa commented 12 months ago

Workload Identity works for me with watermill v1.3.5 and watermill-googlecloud v1.1.0. I struggled a bit but managed to make it work.

The service account was created in GCP with proper permissions (I don't know more details since it was the DevOps teams that did that for me).

I have added a kind: ServiceAccount and annotation iam.gke.io/gcp-service-account to my service-account.yaml helm chart template. Also in the deployment spec I specify the service account name serviceAccountName:

Can't share code details unfortunately.