Enabling Authentication for SPE GCP Pod
SPE Pod uses workload identification for accessing Google Services.
Before you start, make sure you have performed the following tasks:
- Enable the Google Kubernetes Engine API.
- If you want to use the Google Cloud CLI for this task, install and then initialize the gcloud CLI. If you have previously installed the gcloud CLI, get the latest version by runninggcloud components update.For existing gcloud CLI installations, make sure to set thecompute/regionandcompute/zoneproperties. By setting default locations, you can avoid errors in gcloud CLI like the following:One of [--zone, --region] must be supplied: Please specify location.
- Ensure that the Google Cloud APIs that you want to access are supported by Workload Identity Federation for GKE. For a list of supported APIs, see Supported products and limitations. If the API is not supported or if your use case is blocked by the limitations of Workload Identity Federation for that service, see Alternative: link Kubernetes ServiceAccounts to IAM in this document.
- Ensure that you have enabled the IAM Service Account Credentials API.
- Ensure that you have the following IAM roles:
- roles/container.admin
- roles/iam.serviceAccountAdmin
- Follow the following article to enable Workload Identity.To enable Workload Identity Federation for GKE on an existing cluster, run the following command:gcloud container clusters update CLUSTER_NAME \ --location=LOCATION \ --workload-pool=PROJECT_ID.svc.id.googReplace the following:
- CLUSTER_NAME: the name of your existing cluster.
- LOCATION: the Compute Engine location of your cluster.
- PROJECT_ID: your Google Cloud project ID.
- For more details follow below article: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
- After Enabling Workload Identity follow below steps to create Google Service Account and Kubernetes Service Account.