No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I didn't really know what channel this fit in best. I suppose it could be a toss up between <#CRFURDVQB|>, <#CCWP5TJ5U|>, and <#CRFUR2DGB|>

<@U05R0K54H9T> looking at the terraform example, I don’t see a Kubernetes service account defined? What’s not working exactly?

hey <@UCWG26BH7>!

Here's an example of what works and what I can achieve in terraform using the public workload ID module

```module "gsm_gke_workload_identity" {
  for_each = toset(var.namespace_list)
  source  = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  version = "~&gt; 25.0"
  name    = "gsm-gke-workload-identity-${each.value}"
  namespace  = each.value
  project_id = var.project_name
  gcp_sa_name         = "secret-accessor-sa"
  use_existing_gcp_sa = true
  k8s_sa_name         = "secret-accessor-sa"

  depends_on = [
    module.kubernetes
  ]
}```

I used Pulumi AI to generate this as part of my gke cluster creation to enable workload ID but I think that's only half the battle:

```			WorkloadIdentityConfig: &amp;container.ClusterWorkloadIdentityConfigArgs{
				WorkloadPool: pulumi.Sprintf("%s.svc.id.goog", projectId),
			},```

Effectively I'm trying to get a GCP service account to be used by the kubernetes service account and connect with google secret manager. It's all up and working AFTER I run

```gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:go-gke-gsm-pulumi.svc.id.goog[default/secret-accessor-sa]" \
  <mailto:secret-accessor-sa@go-gke-gsm-pulumi.iam.gserviceaccount.com|secret-accessor-sa@go-gke-gsm-pulumi.iam.gserviceaccount.com>```

but I am hoping to see if I can add this to the creation of my infrastructure so I don't have to run this after creation

Full transparency - I am a super new Pulumi beginner and frankly I don't even know Golang so I am probably biting off much more than I can chew :sweat:

do you have a kubernetes service account? how are you creating that? have you labelled/annotated it correctly?

ooh... I see. Yeah this might be an order of operations problem :man-facepalming:

I'm creating all the infra and then I'm creating the serviceAccount in the GKE cluster with the deployment of my application and therefore I have to run that command or make sure the serviceAccount exists prior to installing my chart...

This helped provide clarity. Thanks a ton <@UCWG26BH7>!

You should be able to do all of that with Pulumi

The "Assign workload identity" block looks to work on the Project level; I think it needs to be on the Service Account itself instead.

<https://www.pulumi.com/registry/packages/gcp/api-docs/serviceaccount/iammember/>

The TF code should be a good reference: <https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/v27.0.0/modules/workload-identity/main.tf#L81-L85>