Workload identity

Workload Identity Federation for GKE (WIF) is a mechanism that lets your cluster's workloads access external cloud resources with Kubernetes Service Accounts. WIF is the recommended way for applications running within GKE attached clusters to access Google Cloud services. When you register your cluster, the GKE attached clusters API creates all the infrastructure required for WIF, with support for clusters that use either public or private OIDC issuers.

All GKE Enterprise services that connect back to Google Cloud, such as Connect and telemetry agents, use Workload Identity Federation for GKE.

Kubernetes service accounts and Workload Identity Federation for GKE

When a Pod runs, it uses a Kubernetes service account to authorize its access to resources hosted within its cluster. By using WIF, the Pod can use the same Kubernetes Service Account (KSA) to obtain a short-lived token to access resources hosted outside the cluster.

WIF requires a trust relationship between the OIDC identity provider inside the cluster and the external resource provider, such as Google Cloud IAM. When you register an Attached Cluster, the registration process automatically creates this trust relationship by adding your cluster's OIDC service to the default workload identity pool bound to your Google Cloud project.

This workload identity pool is your Google project's pool of trusted identity providers and is named PROJECT_ID.svc.id.goog, where PROJECT_ID is the Google Project ID associated with your attached cluster.

You can use regular Google Cloud IAM policies to control access by Kubernetes Service Accounts to Google Cloud services. Kubernetes Service Account principals are the representation of the KSA within the workload identity pool. They're formatted as following:

serviceAccount:WORKLOAD_IDENTITY_POOL_NAME[KSA_NAMESPACE/KSA_NAME]

To grant a role to the Kubernetes service account, use the following command:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:PROJECT_ID.svc.id.goog[KSA_NAMESPACE/KSA_NAME]" \
  --role=IAM_ROLE

Replace:

  • PROJECT_ID: your Google Cloud project ID
  • KSA_NAMESPACE: the cluster namespace that this service account resides in
  • KSA_NAME: the name of the Kubernetes service account you want to grant permissions to
  • IAM_ROLE: the Google Cloud role you want to grant to this KSA