My requirement is to use a single GKE cluster to spin up pod that can impersonate one of 1000 app specific gsas.
How can I achieve this with minimal operational complexity. How am I am trying this out is to have a single platform GSA, which can impersonate into any of the 1000 app specific gsas and have the kubernetes KSA mapped to this platform GSA. But I do not know how to make the pod (which uses the platform gsa) to impersonate one of the 1000 app specific gsas.
The code currently uses dataproc/bigquery/gcs. But the code should be capable of accessing any GCP service based on the access / restrictions bound to the GSA . The number of GSAs can be well above 1000 (~10K).
@garisingh I am planning to use the below command in the pod to create the cred-config.json file. Once the file is generated I will use that to set ADC. Idea is to dynamically create the cred-config.json files for each application specific gsa.
I have the values for the project_id and the pool_id (the gke cluster’s projectid.svc.goog).
Now I am stuck with the provider_id.
As per my limited knowledge, the GKE cluster should act as the provider right so that, please correct me and help to get a valid provider_id to be used within a GKE.
Then I will execute the below command that set ups the authentication details and subsequent commands will get valid tokens and work.
gcloud auth login --cred-file=cred-config.jsoneg:
gcloud compute instances list --project=app-specific-project_id