purple-airport-15218
09/11/2023, 2:18 PMgcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:go-gke-gsm-pulumi.svc.id.goog[default/secret-accessor-sa]" \
<mailto:secret-accessor-sa@go-gke-gsm-pulumi.iam.gserviceaccount.com|secret-accessor-sa@go-gke-gsm-pulumi.iam.gserviceaccount.com>
I thought I achieved what I desired with this
// Create a GCP service account
account, err := serviceaccount.NewAccount(ctx, "secretAccessSvcAccount", &serviceaccount.AccountArgs{
Project: pulumi.String(projectId),
AccountId: pulumi.String("secret-accessor-sa"),
DisplayName: pulumi.String("secret accessor service account"),
Description: pulumi.String("This service account has the secret accessor role"),
})
if err != nil {
return err
}
// Assign "Secret Accessor" role to the service account
_, err = projects.NewIAMMember(ctx, "secretAccessorRole", &projects.IAMMemberArgs{
Role: pulumi.String("roles/secretmanager.secretAccessor"),
Member: pulumi.Sprintf("serviceAccount:%s", account.Email),
Project: pulumi.String(projectId),
})
if err != nil {
return err
}
// Assign "Workload Identity" role to the service account
_, err = projects.NewIAMMember(ctx, "workloadIdentityRole", &projects.IAMMemberArgs{
Role: pulumi.String("roles/iam.workloadIdentityUser"),
Member: pulumi.Sprintf("serviceAccount:%s", account.Email),
Project: pulumi.String(projectId),
})
if err != nil {
return err
}
But I was still getting errors pointing to the reality that the service account wasn't really able to act as workload ID. It worked just fine when I ran the gcloud
command and it works just fine using a Terraform module to bind the kubernetes service account to the gcp service account. Any idea?billowy-army-68599
purple-airport-15218
09/11/2023, 2:26 PMmodule "gsm_gke_workload_identity" {
for_each = toset(var.namespace_list)
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
version = "~> 25.0"
name = "gsm-gke-workload-identity-${each.value}"
namespace = each.value
project_id = var.project_name
gcp_sa_name = "secret-accessor-sa"
use_existing_gcp_sa = true
k8s_sa_name = "secret-accessor-sa"
depends_on = [
module.kubernetes
]
}
I used Pulumi AI to generate this as part of my gke cluster creation to enable workload ID but I think that's only half the battle:
WorkloadIdentityConfig: &container.ClusterWorkloadIdentityConfigArgs{
WorkloadPool: pulumi.Sprintf("%s.svc.id.goog", projectId),
},
Effectively I'm trying to get a GCP service account to be used by the kubernetes service account and connect with google secret manager. It's all up and working AFTER I run
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:go-gke-gsm-pulumi.svc.id.goog[default/secret-accessor-sa]" \
<mailto:secret-accessor-sa@go-gke-gsm-pulumi.iam.gserviceaccount.com|secret-accessor-sa@go-gke-gsm-pulumi.iam.gserviceaccount.com>
but I am hoping to see if I can add this to the creation of my infrastructure so I don't have to run this after creationbillowy-army-68599
purple-airport-15218
09/11/2023, 2:30 PMbillowy-army-68599
dry-keyboard-94795
09/11/2023, 3:28 PM