Workload identity using console

1. Enable Workload Identity on the GKE cluster:

   • To enable Workload Identity Federation for GKE on an existing cluster:

     • Navigate to Kubernetes Engine > Clusters.
     • Select the cluster name.
     • In the Workload Identity section, Click Edit, select the Enable Workload Identity checkbox.
     • Click Save.

   • To modify an existing node pool to use Workload Identity Federation for GKE, perform the following steps:

     • Navigate to Kubernetes Engine > Clusters.
     • Click on the cluster name.
     • Click on the Node tab.
     • Click on the node pool name you want to modify.
     • Click Edit.
     • In the Security section, select the Enable GKE Metadata Server checkbox.
     • Click Save.

2. Create an IAM allow policy that grants the Kubernetes ServiceAccount permission to impersonate the IAM service account:

3. Go to the IAM & Admin page in the Google Cloud Console.

4. Click on Service accounts in the sidebar.
5. Find and select your service account.
6. Go to the Permissions tab.
7. Click Grant Access, and in the role section, search for workload identity user.
8. In Principal name add <PROJECT-ID>.svc.id.goog[<NAMESPACE-NAME>/<KSA_NAME>].
   • PROJECT_ID: your Google Cloud project ID.
   • Namespace-name: the Kubernetes namespace name.
   • KSA_NAME: the Kubernetes ServiceAccount name Eg. connector-<connector-name>-<Instance-Name>-privacera-sa.
9. Click Save.

Note
If you don’t have an existing cluster in your GCP project, follow the instructions at this link Refer to create a new cluster and node pool.

Comments