Workload identity to connect a GKE cluster to a different GCP project

Hello,

Is it possible to use workload identity to access from a GKE pod to a GCP service of another project? A project that is different from the one in which the GKE cluster is created.

Thanks

Yes you can. You will have to create the Google Service Account (GSA) in the same project as the GKE cluster. Configure Workload Identity as usual [1] and you configure the IAM permissions that allows the Pod to access the Resource on the target project (aka the GSA should have the permissions to access the API you want in the project where that API is)

[1] https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

Hello,

is there a chance to do a step by step? How would I “configure the IAM permissions that allows the Pod to access the Resource on the target project (aka the GSA should have the permissions to access the API you want in the project where that API is)”?

Cheers

Ok I’ve got it myself. I guess I didn’t understand you properly. Steps I followed:

• all the steps described here https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity in my GCP project with the GKE cluster

• in the other GCP project, where my API is which I want to control, go to: “IAM → Add → ‘enter the email of GKE GCP SA’ and select the role you need”

In my special case I needed to control Cloud DNS with External DNS. Please note you need extraArgs like described here https://bityl.co/BNIv) and here https://bityl.co/BNIw).

Cheers

Very clear, thanks @abdelfettah !

Does the following work across GCP orgs as well?

I followed the exact same steps but am still not authorized to access the API (secret manager) in the other project. The two projects are in the same organization.

Do you have any additional details around how you made it work? A script or any other configuration details that made it work would be very helpful. Thanks!

in the other GCP project, where my API is which I want to control, go to: “IAM → Add → ‘enter the email of GKE GCP SA’ and select the role you need”

I’m following these exact steps and still getting permissions denied when trying to access secret manager in another project. Anyone able to help out with an example?

Make sure you follow the steps listed at https://cloud.google.com/iam/docs/attach-service-accounts#attaching-different-project, paying specific detail to enabling service accounts to be attached across projects.

I’m unable to execute step e: Click Grant access, and then enter the email address of the service agent. The service agent I’ve identified for my GKE node is "service-PROJECT_NUMBER@gcp-sa-gkenode.iam.gserviceaccount.com" where PROJECT_NUMBER is my project ID. I get an error when trying to add this principle as noted in the link you provided. Is that service agent correct for my GKE use case?

My workload in GKE (project A) is simply trying to use it’s workload identity to access a resource in project B (secret manager). This is very simple when using service account keys outside of GKE.

Thanks for the reply.