GCP Workload Identity

[y4h2]

Main use case: to access GCP services, avoid exposing service account key.

Bind IAM service account with Kubernetes service account

[y4h2]

terraform module terraform-google-workload-identity : Bind IAM Service Account with Kubernetes Service Account

[y4h2]

GKE use Workload Identity

• enable workload identity in GKE
• Create node pool with workload identity config
• Create Pod with tags to use workload identity

  nodeSelector:
  iam.gke.io/gke-metadata-server-enabled: "true"

[y4h2]

To test workload identity in GKE

deploy

apiVersion: v1
kind: Pod
metadata:
  name: workload-identity-test
  namespace: NAMESPACE
spec:
  containers:
  - image: google/cloud-sdk:slim
    name: workload-identity-test
    command: ["sleep","infinity"]
  serviceAccountName: KSA_NAME
  nodeSelector:
    iam.gke.io/gke-metadata-server-enabled: "true"

create pod: kubectl apply -f wi-test.yaml

open interactive session

kubectl exec -it workload-identity-test \
  --namespace NAMESPACE \
  -- /bin/bash

get iam email

curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/email