Workload identity using cli

1. Enable Workload Identity on the GKE cluster:

   • To enable Workload Identity Federation for GKE on an existing cluster, run the following command:

     Text Only
     1	gcloud container clusters update <CLUSTER_NAME> \ --location=<LOCATION> \ --workload-pool=<PROJECT_ID>.svc.id.goog

     Replace the following:
     • CLUSTER_NAME: the name of your new cluster.
     • LOCATION: the Compute Engine location for the cluster.
     • PROJECT_ID: your Google Cloud project ID.

   • To modify an existing node pool to use Workload Identity Federation for GKE, run the following command:

     Text Only
     1	gcloud container node-pools create <NODEPOOL_NAME> \ --cluster=<CLUSTER_NAME> \ --region=<REGION> \ --workload-metadata=GKE_METADATA

     Replace the following:
     • NODEPOOL_NAME: the name of the new node pool.
     • CLUSTER_NAME: the name of the existing cluster with Workload Identity Federation for GKE enabled.
     • REGION: the region where the cluster is located.

2. Create an IAM policy that allows the Kubernetes ServiceAccount to impersonate the IAM service account::

   • Run the following command to add the IAM policy binding:

     Text Only
     1	gcloud iam service-accounts add-iam-policy-binding <IAM_SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:<PROJECT_ID>.svc.id.goog[<NAMESPACE>/<KSA_NAME>]"

     Replace the following:
     • PROJECT_ID: your Google Cloud project ID.
     • NAMESPACE: the Kubernetes namespace name.
     • KSA_NAME: the Kubernetes ServiceAccount name Eg. connector-<CONNECTOR-NAME>-<INSTANCE-NAME>-privacera-sa.
     • IAM_SA_NAME: the IAM service account name.

Note
If you don't have an existing cluster in your GCP project, please follow the instructions at this link Refer to create a new cluster and node pool.

Comments