Workload Identity allows you to assign a specific Google Cloud Service Account to a specific application, so that each application can get its own service account identity/permissions using Machine Credential.
kubectl create serviceaccount helloworld \
--dry-run -oyaml > k8s/helloworld-sa.yaml
kubectl apply -f k8s/helloworld-sa.yamlgcloud iam service-accounts create helloworld
PROJECT_ID=$(gcloud config get-value project)
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:helloworld@${PROJECT_ID}.iam.gserviceaccount.com \
--role roles/pubsub.publisherBind the Kubernetes Service Account (KSA) to Google Cloud Service Account (GSA)
PROJECT_ID=$(gcloud config get-value project)
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:${PROJECT_ID}.svc.id.goog[default/helloworld]" \
helloworld@${PROJECT_ID}.iam.gserviceaccount.comPROJECT_ID=$(gcloud config get-value project)
kubectl annotate -f k8s/helloworld-sa.yaml \
iam.gke.io/gcp-service-account=helloworld@${PROJECT_ID}.iam.gserviceaccount.com
kubectl apply -f k8s/helloworld-sa.yaml{% code title="k8s/nginx-sa-deployment.yaml" %}
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-sa
labels:
app: nginx-sa
spec:
replicas: 1
selector:
matchLabels:
app: nginx-sa
template:
metadata:
labels:
app: nginx-sa
spec:
# Specify the KSA to use
serviceAccountName: helloworld
containers:
- image: nginx
name: nginx{% endcode %}
To try it out, first exec into the Pod:
POD_NAME=$(kubectl get pods -lapp=nginx-sa -o jsonpath='{.items[0].metadata.name}')
kubectl exec -ti ${POD_NAME} -- /bin/bashInside the Pod, see metadata server:
curl -H"Metadata-Flavor: Google" \
http://metadata/computeMetadata/v1/instance/service-accounts/default/email