This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Does Apigee Hybrid runtime support Workload Identity federation as KSA direct connect mode in AKS?

Posted on 02-04-2025 06:08 PM
tawatchaiw
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello everyone,

We have been trying to enable Workload Identity federation with the KSA direct connect type for Apigee Hybrid runtime 1.14.0 in AKS for the past month but have not been successful. So, I'm not sure if it is actually supported or not.

The reason from the main Apigee official document [1] briefly explains the concept of enabling Workload Identity federation on external provider (AKS and EKS) and refers to [2] for the full implementation steps. However, article [2] states that Workload Identity federation supports two modes: KSA direct connect (recommended) and GSA impersonation.

[1]https://cloud.google.com/apigee/docs/hybrid/v1.14/enable-workload-identity-federation.html#k8s-secre...
[2]https://cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes#aks

But in my lab, we successfully implemented GSA impersonation but were unsuccessful with KSA direct connect, even after reconfiguring everything in every possible way.

Can anyone help me or tell me where I went wrong?

Thank you

 

 

0 4 615
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
AlexET
Staff
Reply posted on --/--/---- --:-- AM

Hello @tawatchaiw, we saw your question and wanted to let you know we’re keeping it on our radar. We’ll also invite others in the community to pitch in and share their thoughts.

If you’re up for it, join our weekly office hours! You can sign up here to get the meeting link 🙂 Thanks for being here!

0 Likes

Posted on --/--/---- --:-- AM
Subodhlinux1986
Bronze 1
Bronze 1
In response to AlexET
Reply posted on --/--/---- --:-- AM

Hi AlexET let us know if you have solution for EKS to enable workload identity

0 Likes

Posted on --/--/---- --:-- AM
tyayers
Staff
Reply posted on --/--/---- --:-- AM

Hi @tawatchaiw - I would create a support ticket and reach out to your local Apigee team for assistance - message me directly if you need help getting ahold of someone. This is just such a detailed problem that it only makes sense to validate together with engineers who have done it and have a reference setup.. thanks!

0 Likes

Posted on --/--/---- --:-- AM
Subodhlinux1986
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Is it possible to WIF with deployment of proxies and asset for management api calls. Like with key base service account we use gcloud auth activate-service-account --key-file=sa.json and get token using gcloud auth print-access-token , is there something similar for WIF base credential file

0 Likes