GCP Workload Identity

1. Enable IAM Credential API
2. Create new Cluster with Workload Identity enabled

gcloud container clusters create CLUSTER_NAME \
    --workload-pool=PROJECT_ID.svc.id.goog

3. Create Kubernetes Service Account (KSA) for your application

kubectl create serviceaccount KSA_NAME \
    --namespace K8S_NAMESPACE

4. Config application to use Kubernetes Service Account

spec:
  serviceAccountName: KSA_NAME

5. Create an Google Service Account (GSA)

gcloud iam service-accounts create GSA_NAME

6. Grant roles to your GSA

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member "serviceAccount:GSA_NAME@PROJECT_ID.iam.gserviceaccount.com" \
    --role "ROLE_NAME"

7. Allow Kubernetes Service Account (KSA) to impersonate the Google Service Account by creating an IAM Policy Binding

gcloud iam service-accounts add-iam-policy-binding GSA_NAME@PROJECT_ID.iam.gserviceaccount.com \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]"

8. Add the `iam.gke.io/gcp-service-account=GSA_NAME@PROJECT_ID` annotation to Kubernetes Service Account, using email address of IAM Service Account

kubectl annotate serviceaccount KSA_NAME \
    --namespace K8S_NAMESPACE \
    iam.gke.io/gcp-service-account=GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

9. Verify

apiVersion: v1
kind: Pod
metadata:
  name: workload-identity-test
  namespace: K8S_NAMESPACE
spec:
  containers:
  - image: google/cloud-sdk:slim
    name: workload-identity-test
    command: ["sleep","infinity"]
  serviceAccountName: KSA_NAME

Create Pod

kubectl apply -f wi-test.yaml

Test

kubectl exec -it workload-identity-test \
    --namespace K8S_NAMESPACE -- /bin/bash
curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/