GCP Workload Identity
1 min readDec 30, 2021
- Enable IAM Credential API
- Create new Cluster with Workload Identity enabled
gcloud container clusters create CLUSTER_NAME \
--workload-pool=PROJECT_ID.svc.id.goog
3. Create Kubernetes Service Account (KSA) for your application
kubectl create serviceaccount KSA_NAME \
--namespace K8S_NAMESPACE
4. Config application to use Kubernetes Service Account
spec:
serviceAccountName: KSA_NAME
5. Create an Google Service Account (GSA)
gcloud iam service-accounts create GSA_NAME
6. Grant roles to your GSA
gcloud projects add-iam-policy-binding PROJECT_ID \
--member "serviceAccount:GSA_NAME@PROJECT_ID.iam.gserviceaccount.com" \
--role "ROLE_NAME"
7. Allow Kubernetes Service Account (KSA) to impersonate the Google Service Account by creating an IAM Policy Binding
gcloud iam service-accounts add-iam-policy-binding GSA_NAME@PROJECT_ID.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]"
8. Add the `iam.gke.io/gcp-service-account=GSA_NAME@PROJECT_ID` annotation to Kubernetes Service Account, using email address of IAM Service Account
kubectl annotate serviceaccount KSA_NAME \
--namespace K8S_NAMESPACE \
iam.gke.io/gcp-service-account=GSA_NAME@PROJECT_ID.iam.gserviceaccount.com
9. Verify
apiVersion: v1
kind: Pod
metadata:
name: workload-identity-test
namespace: K8S_NAMESPACE
spec:
containers:
- image: google/cloud-sdk:slim
name: workload-identity-test
command: ["sleep","infinity"]
serviceAccountName: KSA_NAME
Create Pod
kubectl apply -f wi-test.yaml
Test
kubectl exec -it workload-identity-test \
--namespace K8S_NAMESPACE -- /bin/bashcurl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/