GKE Workload Identity

This page provides information on configuring GKE Workload Identity for GKE in GCP.

“Workload Identity” allows a Kubernetes service to automatically authenticate as a service account when accessing cloud provider APIs (e.g. Google’s BigQuery APIs, AWS S3 buckets).

Workload identity is a term used in GCP that is roughly equivalent to IAM Roles for Service Accounts (IRSA) in AWS.

Unlike user accounts, service accounts don’t have a password and cannot be used via a login UI. They are configured and managed as part of a project in GCP.

What are Workload Identities

Workload Identities (configured through Kubernetes service accounts to impersonate Google Service Accounts) can be used to assume a configure roles to provide access and permissions to GKE services. For example, if you have a Skill that calls for a connection, you can use a workload identity in lieu of providing an GCP API tokens (access key and secret key).

In GCP, resources are organized under “projects.” Customers can deploy all of their Google Cloud resources under a single project, or create separate projects to organize resources into logical groupings. Workload Identities can then be used to define access and authorization for each project.

For details about native Workload Identity support read this

Workload Identity Benefits

• Individual services such as connections need not provide access credentials.
• Centralized management of fine-grained identity and authorization is available for each application within a project.
• It is the recommended way for your workloads running on Google Kubernetes Engine (GKE) to access Google Cloud services in a secure and manageable way.

How is Workload Identity Configured

Workload identity needs to be configured at two different levels:

• Kubernetes service accounts: Kubernetes resources that provide an identity for processes running in your GKE pods.
• IAM service accounts: Google Cloud resources that allow applications to make authorized calls to Google Cloud APIs.