Workload Identity

Workload Identity allows you to assign a specific Google Cloud Service Account to a specific application, so that each application can get its own service account identity/permissions using Machine Credential.

Create Service Accounts

Create a Kubernetes Service Account (KSA)

kubectl create serviceaccount helloworld \
  --dry-run -oyaml > k8s/helloworld-sa.yaml

kubectl apply -f k8s/helloworld-sa.yaml

Create a Google Cloud Service Account (GSA)

gcloud iam service-accounts create helloworld

PROJECT_ID=$(gcloud config get-value project)
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member serviceAccount:helloworld@${PROJECT_ID}.iam.gserviceaccount.com \
  --role roles/pubsub.publisher

Bind Service Accounts

Bind the Kubernetes Service Account (KSA) to Google Cloud Service Account (GSA)

Binding from Google Cloud

Binding from Kubernetes

Use the Kubernetes Service Account

To try it out, first exec into the Pod:

Inside the Pod, see metadata server:

PreviousSchedulingNextBinary Authorization

Last updated

Was this helpful?