This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Workload identity to connect a GKE cluster to a different GCP project

Posted on 01-24-2024 06:43 PM
austingebauer
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

I followed the exact instructions in https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to to set up workload identity for my application which is running in GKE.

Now I'd like the workload identity to be able to access APIs in another GCP project. The guidance I've seen tells me to add the email of the service account (in say, project A) to the IAM principals in the other project (say, project B). I also added the correct role when I added the service account from project A into project B. I'm getting PermissionDenied errors when trying to access project B APIs using the GKE workload identity in project A.

It would be super helpful if anyone has guidance on what I might be doing wrong. A concrete example would go a long way. Thanks!

1 2 1,882
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
MaxImbrox
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi austingbauer,

I implemented many times the configuration that you want, and initially I had exactly your problems. Please be sure that you are inserting the GCP SA and project ID's in the correct form. Have your cluster Workload Identity feature enabled?

0 Likes

Posted on --/--/---- --:-- AM
lawrencenelson
Staff
In response to MaxImbrox
Reply posted on --/--/---- --:-- AM

It seems like @austingebauer is encountering an error while trying to grant access, based on another GCC thread - Workload Identity to connect a GKE cluster to a different GCP project. He is attempting to grant access to a service agent instead of a service account that he created, and I believe this is the root issue.

@austingebauer , it appears the core issue is a mix-up between service agents and service accounts. Service agents (service-PROJECT_NUMBER@gcp-sa-gkenode.iam.gserviceaccount.com) are managed by Google and used internally by GKE. They are not meant for direct use in cross-project access.

What you need to do is create a Service Account in Project A for your GKE workloads. Then, set up Workload Identity in GKE to utilize this SA. Finally, grant this SA access to resources in Project B by adding it to Project B's IAM with the appropriate roles.

0 Likes
Top Labels in this Space
Top Solution Authors
View all