Skip to content

Latest commit

 

History

History
 
 

workload-identity

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
output.tf
output.tf
 
 
variables.tf
variables.tf
 
 

README.md

terraform-google-workload-identity

Workload Identity is the recommended way to access GCP services from Kubernetes.

This module creates:

  • GCP Service Account
  • IAM Service Account binding to roles/iam.workloadIdentityUser
  • Optionally, a Kubernetes Service Account

Usage

The terraform-google-workload-identity can create a kubernetes service account for you, or use an existing kubernetes service account.

Creating a Workload Identity

module "my-app-workload-identity" {
  source    = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  name      = "my-application-name"
  namespace = "default"
  project   = "my-gcp-project-name"
}

This will create:

  • GCP Service Account named: [email protected]
  • Kubernetes Service Account named: my-application-name in the default namespace
  • IAM Binding (roles/iam.workloadIdentityUser) between the service accounts

Usage from a kubernetes deployment:

metadata:
  namespace: default
  # ...
spec:
  # ...
  template:
    spec:
      serviceAccountName: my-application-name

Using an existing Kubernetes Service Account

An existing kubernetes service account can optionally be used. When using an existing k8s servicea account the annotation "iam.gke.io/gcp-service-account" must be set.

resource "kubernetes_service_account" "preexisting" {
  metadata {
    name = "preexisting-sa"
    namespace = "prod"
    annotations = {
      "iam.gke.io/gcp-service-account" = "preexisting-sa@${var.project_id}.iam.gserviceaccount.com"
    }
  }
}

module "my-app-workload-identity" {
  source    = "terraform-google-modules/terraform-google-kubernetes-engine/modules/workload-identity"
  use_existing_k8s_sa = true
  name                = "preexisting-sa"
  namespace           = "prod"
  project             = var.project_id
}

Inputs

Name Description Type Default Required
name Name for both service accounts string n/a yes
namespace Namespace for k8s service account string "default" no
project GCP project ID string n/a yes
use_existing_k8s_sa Use an existing kubernetes service account instead of creating one bool false no

Outputs

Name Description
gcp_service_account_email GCP service account's email
gcp_service_account_fqn GCP service account's email prefixed with serviceAccount:
gcp_service_account_name GCP service account's name
k8s_service_account_name Kubernetes service account's name
k8s_service_account_namespace Kubernetes service account's namespace