https://pulumi.com logo
Powered by
p

purple-airport-15218

09/11/2023, 2:18 PM
Hi folks! I was hoping to get some advice on workload identity and basically pulumi-fying it for this command
Copy code
gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:go-gke-gsm-pulumi.svc.id.goog[default/secret-accessor-sa]" \
  <mailto:secret-accessor-sa@go-gke-gsm-pulumi.iam.gserviceaccount.com|secret-accessor-sa@go-gke-gsm-pulumi.iam.gserviceaccount.com>
I thought I achieved what I desired with this
Copy code
// Create a GCP service account
		account, err := serviceaccount.NewAccount(ctx, "secretAccessSvcAccount", &serviceaccount.AccountArgs{
			Project:     pulumi.String(projectId),
			AccountId:   pulumi.String("secret-accessor-sa"),
			DisplayName: pulumi.String("secret accessor service account"),
			Description: pulumi.String("This service account has the secret accessor role"),
		})
		if err != nil {
			return err
		}

		// Assign "Secret Accessor" role to the service account
		_, err = projects.NewIAMMember(ctx, "secretAccessorRole", &projects.IAMMemberArgs{
			Role:    pulumi.String("roles/secretmanager.secretAccessor"),
			Member:  pulumi.Sprintf("serviceAccount:%s", account.Email),
			Project: pulumi.String(projectId),
		})
		if err != nil {
			return err
		}

		// Assign "Workload Identity" role to the service account
		_, err = projects.NewIAMMember(ctx, "workloadIdentityRole", &projects.IAMMemberArgs{
			Role:    pulumi.String("roles/iam.workloadIdentityUser"),
			Member:  pulumi.Sprintf("serviceAccount:%s", account.Email),
			Project: pulumi.String(projectId),
		})
		if err != nil {
			return err
		}
But I was still getting errors pointing to the reality that the service account wasn't really able to act as workload ID. It worked just fine when I ran the 
gcloud
command and it works just fine using a Terraform module to bind the kubernetes service account to the gcp service account. Any idea?
I didn't really know what channel this fit in best. I suppose it could be a toss up between #kubernetes, #golang, and #google-cloud
b

billowy-army-68599

09/11/2023, 2:21 PM
@purple-airport-15218 looking at the terraform example, I don’t see a Kubernetes service account defined? What’s not working exactly?
p

purple-airport-15218

09/11/2023, 2:26 PM
hey @billowy-army-68599! Here's an example of what works and what I can achieve in terraform using the public workload ID module
Copy code
module "gsm_gke_workload_identity" {
  for_each = toset(var.namespace_list)
  source  = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  version = "~> 25.0"
  name    = "gsm-gke-workload-identity-${each.value}"
  namespace  = each.value
  project_id = var.project_name
  gcp_sa_name         = "secret-accessor-sa"
  use_existing_gcp_sa = true
  k8s_sa_name         = "secret-accessor-sa"

  depends_on = [
    module.kubernetes
  ]
}
I used Pulumi AI to generate this as part of my gke cluster creation to enable workload ID but I think that's only half the battle:
Copy code
WorkloadIdentityConfig: &container.ClusterWorkloadIdentityConfigArgs{
				WorkloadPool: pulumi.Sprintf("%s.svc.id.goog", projectId),
			},
Effectively I'm trying to get a GCP service account to be used by the kubernetes service account and connect with google secret manager. It's all up and working AFTER I run
Copy code
gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:go-gke-gsm-pulumi.svc.id.goog[default/secret-accessor-sa]" \
  <mailto:secret-accessor-sa@go-gke-gsm-pulumi.iam.gserviceaccount.com|secret-accessor-sa@go-gke-gsm-pulumi.iam.gserviceaccount.com>
but I am hoping to see if I can add this to the creation of my infrastructure so I don't have to run this after creation
Full transparency - I am a super new Pulumi beginner and frankly I don't even know Golang so I am probably biting off much more than I can chew 😓
b

billowy-army-68599

09/11/2023, 2:27 PM
do you have a kubernetes service account? how are you creating that? have you labelled/annotated it correctly?
p

purple-airport-15218

09/11/2023, 2:30 PM
ooh... I see. Yeah this might be an order of operations problem 🤦‍♂️ I'm creating all the infra and then I'm creating the serviceAccount in the GKE cluster with the deployment of my application and therefore I have to run that command or make sure the serviceAccount exists prior to installing my chart...
This helped provide clarity. Thanks a ton @billowy-army-68599!
b

billowy-army-68599

09/11/2023, 2:36 PM
You should be able to do all of that with Pulumi
d

dry-keyboard-94795

09/11/2023, 3:28 PM
The "Assign workload identity" block looks to work on the Project level; I think it needs to be on the Service Account itself instead. https://www.pulumi.com/registry/packages/gcp/api-docs/serviceaccount/iammember/ The TF code should be a good reference: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/v27.0.0/modules/workload-identity/main.tf#L81-L85
Powered by