This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How an app deployed on GKE can deploy other app on same GCP project

Posted on 03-13-2022 01:49 AM
fghawi
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi,

I have a java application that is deployed on GKE cluster. Let's call it the "orchestrator"

The application should be able to deploy other applications on same GCP project where the "orchestrator" app is running (can be same GKE or different GKEcluster), using helm cli commands.

We were able to do that using Google Service Account authentication, where the JSON key is provided to the "orchestrator" and we could use it to generate tokens.

My question is.. since both the "orchestrator" and the others apps are running on same GCP project (sometimes on same GKE cluster), is there a way to use some default credentials auto discovered by GCP, instead of generating and providing a Service Account JSON key to the "orchestrator" app?

That way, the customer won't need to expose this Key to our system and the authentication will be happened behind the scenes, without our app intervention.

Is there something a GCP admin can do which make this use case work seamlessly?

0 3 437
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
abdelfettah
Staff
Reply posted on --/--/---- --:-- AM

 Have you looked at Workload Identity ?https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

What kind of permissions do you grant the Google Service Account in order for the Orchestrator app to do what it needs to do ?

0 Likes

Posted on --/--/---- --:-- AM
fghawi
Bronze 1
Bronze 1
In response to abdelfettah
Reply posted on --/--/---- --:-- AM

Thanks for your reply @abdelfettah 

I looked around, and one way to achieve that is to use use default credentials approach mentioned here : Finding credentials automatically. Instead of exposing the SA key to our App, the GCP admin can attach the same SA to the GKE cluster resource, and the default credentials mechanism will use that SA credentials to get access the APIs and resources (depends on the SA roles and permissions).

0 Likes

Posted on --/--/---- --:-- AM
abdelfettah
Staff
Reply posted on --/--/---- --:-- AM

Yes you can use the node SA to authenticate. The issue with that approach is that all your pods running on the same node will use the same SA. Which means that SA will need to have the permissions that all your various apps need. If this is not an issue go ahead. Otherwise i highly recommend you look at Workload Identity,

0 Likes
Top Labels in this Space