Member-only story
How to use Workload Identity for access provisioning of Kubernetes services on Google Cloud
Workload Identity is the recommended way for your workloads running on Google Kubernetes Engine (GKE) to access Google Cloud services in a secure and manageable way.
So you are going to deploy a workload on Kubernetes (k8s) cluster and it requires access to some Google APIs such as Cloud Storage and BigQuery. You find it so confusing that in the GKE world, the k8s service accounts tend to be used with k8s services while access provisioning for Google API has to be done with IAM Policies and Google service accounts. This means you must somehow find a way to allow the k8s services to use Google service accounts to authenticate with Google APIs.
In this article, I will first explain two approaches for accessing Google APIs from GKE using Google service accounts. I will then provide a better and preferred method using Workload Identity to access Google Cloud service in a secure and manageable manner.
This article assumes you have some level of understanding about…
