nazarewk
commented
2 weeks ago I found it could theoretically work if not for parsing project out of Service Account Email
https://github.com/pfnet-research/gcp-workload-identity-federation-webhook/blob/047970ff29def038b98b74710305ec4b4b62802b/webhooks/mutatepod.go#L57-L64
EDIT: and a few more places
I am not sure since when (probably quite recently) it is possible to grant direct resource access to federation principals without using GCP Service Account as a middleman.
It would be great to support this use case here.
When I try to skip service account email annotation I'm getting this error https://github.com/pfnet-research/gcp-workload-identity-federation-webhook/blob/047970ff29def038b98b74710305ec4b4b62802b/webhooks/identityconfig.go#L88 Which at the same time is wrong (should point to service account annotation, not expiration annotation).