This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Multiple SA bindings

Posted on 05-07-2024 04:28 AM
craigberryOLM
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Is it possible to use the `iam.gke.io/gcp-service-account:` to accept multiple GCP SA addresses? I've tried comma delimited but that just prevents the pods starting.

For context, I use a different SA per deployment and while that's fine for setting access to resources in the same project I also want to be able to read a secret from a different project. While I know I could simply give the SA secrets access on the other project, given there are many different SAs across many projects I was hoping to simplify the setup and avoid needing to bind anew every time I create a new deployment.

TIA

Craig

 

Solved Solved
2 1 645
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
shannduin
Staff
Reply posted on --/--/---- --:-- AM

Sounds like you're using the old method with SA annotations. It sounds like kubectl annotate doesn't append, only replaces. Not sure how to help you there, but have you considered directly referencing the Kubernetes SA in an IAM allow policy in the project that has the secret? 

 

So in the secret project,

gcloud projects add-iam-policy-binding SECRET_PROJECT_ID \
    --role=roles/secretmanager.secretAccessor \
    --member=principal://iam.googleapis.com/projects/GKE_PROJECT_NUMBER/locations/global/workloadIdentityPools/GKE_PROJECT_ID.svc.id.goog/subject/ns/NAMESPACE/sa/KSA_NAME \
    --condition=None

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
shannduin
Staff
Reply posted on --/--/---- --:-- AM

Sounds like you're using the old method with SA annotations. It sounds like kubectl annotate doesn't append, only replaces. Not sure how to help you there, but have you considered directly referencing the Kubernetes SA in an IAM allow policy in the project that has the secret? 

 

So in the secret project,

gcloud projects add-iam-policy-binding SECRET_PROJECT_ID \
    --role=roles/secretmanager.secretAccessor \
    --member=principal://iam.googleapis.com/projects/GKE_PROJECT_NUMBER/locations/global/workloadIdentityPools/GKE_PROJECT_ID.svc.id.goog/subject/ns/NAMESPACE/sa/KSA_NAME \
    --condition=None
Jump to Solution
Top Labels in this Space