Solved: Workload identity to connect a GKE cluster to a di...

fares_oueslati · 03-12-2022 12:30 PM

Hello,

Is it possible to use workload identity to access from a GKE pod to a GCP service of another project? A project that is different from the one in which the GKE cluster is created.

Thanks

abdelfettah

Yes you can. You will have to create the Google Service Account (GSA) in the same project as the GKE cluster. Configure Workload Identity as usual [1] and you configure the IAM permissions that allows the Pod to access the Resource on the target project (aka the GSA should have the permissions to access the API you want in the project where that API is)

[1] https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

View solution in original post

abdelfettah

Yes you can. You will have to create the Google Service Account (GSA) in the same project as the GKE cluster. Configure Workload Identity as usual [1] and you configure the IAM permissions that allows the Pod to access the Resource on the target project (aka the GSA should have the permissions to access the API you want in the project where that API is)

[1] https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

fares_oueslati

Very clear, thanks @abdelfettah!

szop

Hello,

is there a chance to do a step by step? How would I "configure the IAM permissions that allows the Pod to access the Resource on the target project (aka the GSA should have the permissions to access the API you want in the project where that API is)"?

Cheers

szop

Ok I've got it myself. I guess I didn't understand you properly. Steps I followed:

- all the steps described here https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity in my GCP project with the GKE cluster

- in the other GCP project, where my API is which I want to control, go to: "IAM -> Add -> 'enter the email of GKE GCP SA' and select the role you need"

In my special case I needed to control Cloud DNS with External DNS. Please note you need extraArgs like described here https://bityl.co/BNIv and here https://bityl.co/BNIw.

Cheers

austingebauer

I followed the exact same steps but am still not authorized to access the API (secret manager) in the other project. The two projects are in the same organization.

Do you have any additional details around how you made it work? A script or any other configuration details that made it work would be very helpful. Thanks!

mnguyen

Does the following work across GCP orgs as well?

austingebauer

> in the other GCP project, where my API is which I want to control, go to: "IAM -> Add -> 'enter the email of GKE GCP SA' and select the role you need"

I'm following these exact steps and still getting permissions denied when trying to access secret manager in another project. Anyone able to help out with an example?

garisingh

Make sure you follow the steps listed at https://cloud.google.com/iam/docs/attach-service-accounts#attaching-different-project, paying specific detail to enabling service accounts to be attached across projects.

austingebauer

I'm unable to execute step e: Click Grant access, and then enter the email address of the service agent. The service agent I've identified for my GKE node is "service-PROJECT_NUMBER@gcp-sa-gkenode.iam.gserviceaccount.com" where PROJECT_NUMBER is my project ID. I get an error when trying to add this principle as noted in the link you provided. Is that service agent correct for my GKE use case?

My workload in GKE (project A) is simply trying to use it's workload identity to access a resource in project B (secret manager). This is very simple when using service account keys outside of GKE.

Thanks for the reply.

Workload identity to connect a GKE cluster to a different GCP project