This message was deleted.
# google-cloud
s
This message was deleted.
p
I didn't really know what channel this fit in best. I suppose it could be a toss up between #CRFURDVQB, #CCWP5TJ5U, and #CRFUR2DGB
b
@purple-airport-15218 looking at the terraform example, I don’t see a Kubernetes service account defined? What’s not working exactly?
p
hey @billowy-army-68599! Here's an example of what works and what I can achieve in terraform using the public workload ID module
Copy code
module "gsm_gke_workload_identity" {
  for_each = toset(var.namespace_list)
  source  = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  version = "~> 25.0"
  name    = "gsm-gke-workload-identity-${each.value}"
  namespace  = each.value
  project_id = var.project_name
  gcp_sa_name         = "secret-accessor-sa"
  use_existing_gcp_sa = true
  k8s_sa_name         = "secret-accessor-sa"

  depends_on = [
    module.kubernetes
  ]
}
I used Pulumi AI to generate this as part of my gke cluster creation to enable workload ID but I think that's only half the battle:
Copy code
WorkloadIdentityConfig: &container.ClusterWorkloadIdentityConfigArgs{
				WorkloadPool: pulumi.Sprintf("%s.svc.id.goog", projectId),
			},
Effectively I'm trying to get a GCP service account to be used by the kubernetes service account and connect with google secret manager. It's all up and working AFTER I run
Copy code
gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:go-gke-gsm-pulumi.svc.id.goog[default/secret-accessor-sa]" \
  <mailto:secret-accessor-sa@go-gke-gsm-pulumi.iam.gserviceaccount.com|secret-accessor-sa@go-gke-gsm-pulumi.iam.gserviceaccount.com>
but I am hoping to see if I can add this to the creation of my infrastructure so I don't have to run this after creation
Full transparency - I am a super new Pulumi beginner and frankly I don't even know Golang so I am probably biting off much more than I can chew 😓
b
do you have a kubernetes service account? how are you creating that? have you labelled/annotated it correctly?
p
ooh... I see. Yeah this might be an order of operations problem 🤦‍♂️ I'm creating all the infra and then I'm creating the serviceAccount in the GKE cluster with the deployment of my application and therefore I have to run that command or make sure the serviceAccount exists prior to installing my chart...
This helped provide clarity. Thanks a ton @billowy-army-68599!
b
You should be able to do all of that with Pulumi
d
The "Assign workload identity" block looks to work on the Project level; I think it needs to be on the Service Account itself instead. https://www.pulumi.com/registry/packages/gcp/api-docs/serviceaccount/iammember/ The TF code should be a good reference: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/v27.0.0/modules/workload-identity/main.tf#L81-L85