This module will showcase the integration of Workload Identity Federation and GKE to access Google Cloud services without a Service Account key.
The resources/services/activations/deletions that this module will create/trigger are:
- Create a Autopilot GKE Cluster
- Creates an isolated VPC with dedicated subnets
- Update project IAM policy to add Kubernetes Service Account
Configuration: 5 mins Deployment: 15 mins
- Clone repo
git clone https://github.com/jasonbisson/terraform-google-workload-identity-gke.git
- Rename and update required variables in terraform.tvfars.template
mv terraform.tfvars.template terraform.tfvars
#Update required variables
- Execute Terraform commands with existing identity (human or service account) to build Vertex Workbench Infrastructure
terraform init
terraform plan
terraform apply
- Collect Kubernetes credentials from GKE cluster
gcloud container clusters get-credentials ap-private-cluster --region us-central1 --project your_project_id
- Create a Kubernetes Service Account
kubectl create serviceaccount workload-identity-sa
- Create a simple Kubernetes Deployment running gcloud sdk
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: workload-identity
namespace: default
spec:
containers:
- image: google/cloud-sdk:slim
name: workload-identity
command: ["sleep","infinity"]
serviceAccountName: workload-identity-sa
nodeSelector:
iam.gke.io/gke-metadata-server-enabled: "true"
EOF
- Update the project IAM to provide the Kubernetes Service Account Google Cloud Access
mv ksa_gcp_access.tf.disable ksa_gcp_access.tf
terraform apply
- Access the pod to run storage list command
kubectl exec -it workload-identity -- /bin/bash
curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://storage.googleapis.com/storage/v1/b/Any_bucket_in_project/o
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cloud_shell_ip | Cloud Shell IP: dig +short myip.opendns.com @resolver1.opendns.com | any |
n/a | yes |
| project_id | The project ID to host the cluster in | any |
n/a | yes |
| Name | Description |
|---|---|
| cluster_name | Cluster name |
| kubernetes_endpoint | The cluster endpoint |
| location | n/a |
| master_kubernetes_version | Kubernetes version of the master |
| network_name | The name of the VPC being created |
| region | The region in which the cluster resides |
| service_account | The service account to default running nodes as if not overridden in node_pools. |
| subnet_names | The names of the subnet being created |
| zones | List of zones in which the cluster resides |
These sections describe requirements for using this module.
The following dependencies must be available:
- [Terraform][terraform] v0.13
- [Terraform Provider for GCP][terraform-provider-gcp] plugin v3.0
A service account with the following roles must be used to provision the resources of this module:
- Compute Admin:
roles/compute.admin - Kubernetes Admin:
roles/container.admin
- Google Cloud Compute:
compute.googleapis.com - Kubernetes Engine:
container.googleapis.com
Please see our security disclosure process.