sparse-intern-71089
09/11/2023, 2:18 PMpurple-airport-15218
09/11/2023, 2:20 PMbillowy-army-68599
purple-airport-15218
09/11/2023, 2:26 PMmodule "gsm_gke_workload_identity" {
for_each = toset(var.namespace_list)
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
version = "~> 25.0"
name = "gsm-gke-workload-identity-${each.value}"
namespace = each.value
project_id = var.project_name
gcp_sa_name = "secret-accessor-sa"
use_existing_gcp_sa = true
k8s_sa_name = "secret-accessor-sa"
depends_on = [
module.kubernetes
]
}
I used Pulumi AI to generate this as part of my gke cluster creation to enable workload ID but I think that's only half the battle:
WorkloadIdentityConfig: &container.ClusterWorkloadIdentityConfigArgs{
WorkloadPool: pulumi.Sprintf("%s.svc.id.goog", projectId),
},
Effectively I'm trying to get a GCP service account to be used by the kubernetes service account and connect with google secret manager. It's all up and working AFTER I run
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:go-gke-gsm-pulumi.svc.id.goog[default/secret-accessor-sa]" \
<mailto:secret-accessor-sa@go-gke-gsm-pulumi.iam.gserviceaccount.com|secret-accessor-sa@go-gke-gsm-pulumi.iam.gserviceaccount.com>
but I am hoping to see if I can add this to the creation of my infrastructure so I don't have to run this after creationpurple-airport-15218
09/11/2023, 2:26 PMbillowy-army-68599
purple-airport-15218
09/11/2023, 2:30 PMpurple-airport-15218
09/11/2023, 2:31 PMbillowy-army-68599
dry-keyboard-94795
09/11/2023, 3:28 PM