workload-identity in provider config on GKE

[aakash-lohono]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

1. apologies if this is supposed to be question.
2. i've a workload identity enabled GKE cluster
3. i'm running a pod with service account appropriately annotated to utilise said workload identity. I've verified it's working by running gcloud image separately with the same service account.
4. i want to run terraform with google provider within this pod and want to utilise the same service account.
5. i don't see any way to configure google provider to utilise the said workload identity enabled service account.
6. according to docs, you need to provide service account key file

New or Affected Resource(s)

• terraform provider

References

• error

  Error: Credentials not found in datasource, provider configuration or GOOGLE_APPLICATION_CREDENTIALS environment variable.

• terraform provider docs

[slevenick]

You can also use application default credentials that may be available on the GKE cluster: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#primary-authentication

I'm not really sure what you have available within the pod though, how does it identify as the service account?

[aakash-lohono]

Apologies on my explanation, there's a lot of reading material to exactly point to the appropriate snippet

Documentation for Workload Identity and screenshots above:

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to

Example usage wherein we don't need to explicitly mount any service account key within the pod and still can access GCP apis

https://debricked.com/blog/what-is-gke-workload-identity/

what have i tried?

1. start workload identity enabled cluster
2. i've deployed ssl certificates without any sa key file with cert-manager by following guide
3. configure config connector which utilizes workload identity mechanism guide
4. manually verified gcloud sdk's interaction with workload identity a. create gcp service account with arbitrary roles/permissions that suits my need (i tried role/storageAdmin) b. made the said gcp service account iam member of roles/iam.workloadIdentityUser c. create kubernetes sa annotated with iam.gke.io/gcp-service-account: ${sa_name}@${project_id}.iam.gserviceaccount.com d. create a google/cloud-sdk pod with said kubernetes sa e. any interaction with gcloud or gsutil now works successfully without invoking gcloud activate-service-account ... on any mounted sa key json file. I can list buckets and upload or download files now

i'm not sure what part can I explain better, let me know if you need help for any of the materials @slevenick