Open aakash-lohono opened 2 years ago
You can also use application default credentials that may be available on the GKE cluster: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#primary-authentication
I'm not really sure what you have available within the pod though, how does it identify as the service account?
Apologies on my explanation, there's a lot of reading material to exactly point to the appropriate snippet
Documentation for Workload Identity and screenshots above:
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to
Example usage wherein we don't need to explicitly mount any service account key within the pod and still can access GCP apis
https://debricked.com/blog/what-is-gke-workload-identity/
what have i tried?
role/storageAdmin
)
b. made the said gcp service account iam member of roles/iam.workloadIdentityUser
c. create kubernetes sa annotated with iam.gke.io/gcp-service-account: ${sa_name}@${project_id}.iam.gserviceaccount.com
d. create a google/cloud-sdk
pod with said kubernetes sa
e. any interaction with gcloud
or gsutil
now works successfully without invoking gcloud activate-service-account ...
on any mounted sa key json file. I can list buckets and upload or download files nowi'm not sure what part can I explain better, let me know if you need help for any of the materials @slevenick
Community Note
Description
GKE
clustergoogle provider
within this pod and want to utilise the same service account.google provider
to utilise the said workload identity enabled service account.New or Affected Resource(s)
References