use workload identity for external secret instead of service key. #233
Conversation
ref: https://external-secrets.io/v0.4.4/provider-google-secrets-manager/#using-service-accounts-directly Signed-off-by: Kenny Leung <kleung@chainguard.dev>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -42,10 +47,17 @@ | |||
| depends_on = [google_service_account.external_secrets_sa] | |||
| } | |||
|
|
|||
| resource "google_project_iam_member" "external_secrets_binding_token" { | |||
| project = var.project_id | |||
| role = "roles/iam.serviceAccountTokenCreator" | |||
Check warning
Code scanning / tfsec
Users should not be granted service account access at the project level
There was a problem hiding this comment.
Post submit feedback @k4leung4 : can this be updated to grant the role on the specific service accounts(s) that need impersonating? This is a very powerful grant since the external-secrets SA can use access of any other service accounts in the project.
| helm_release.external_secrets | ||
| ] | ||
| } | ||
|
|
||
| resource "kubectl_manifest" "secretstore_gcp_backend" { | ||
| yaml_body = <<YAML | ||
| apiVersion: external-secrets.io/v1alpha1 |
There was a problem hiding this comment.
maybe we can bump to apiVersion: external-secrets.io/v1beta1 and use the new version
There was a problem hiding this comment.
we are still on 0.4.4, i dont think it supports v1beta1
though we should upgrade external secrets to 0.5x
filed https://github.com/sigstore/public-good-instance/issues/480
There was a problem hiding this comment.
i think we don't use anything that breaks, but i will double check
Summary
ref:
https://external-secrets.io/v0.4.4/provider-google-secrets-manager/#using-service-accounts-directly
towards: https://github.com/sigstore/public-good-instance/issues/443
Signed-off-by: Kenny Leung kleung@chainguard.dev
Release Note
Documentation