Member-only story
Change the default Service Account Credential in GKE Pod (Workload Identity)
So far
- When requesting GCP API from Pod with GKE, Google Service Account Credential was created and mounted on Secrets resource
- Therefore, it is necessary to issue a Credential and download it.
- Since Google Service Account is assigned various API permissions required by the application, it can be said that it is sensitive information.
- In spite of that, it is necessary to save it in the worker’s local or working environment once, so the management is unsatisfactory (such as not to erase it immediately after use) and it will be used outside the application including the worker himself
- I want to specify a Service Account for a pod without downloading Credential …
now
- Workload Identity appeared
- end.
I tried using it (CronJob)
premise
- Various privileges are granted to the worker
- The following rights should be included (may or may not be necessary)
resourcemanager.projects.get
iam.serviceAccounts.get
iam.serviceAccounts.list
iam.serviceAccounts.create
iam.serviceAccounts.actAs
iam.serviceAccounts.setIamPolicy
iam.serviceAccounts.getIamPolicy
compute.projects.get
compute.regions.get
compute.regions.list
compute.zones.get
compute.zones.list…
