1 changed file
serviceaccount.yaml | ||
Add comment 24 apiVersion: v1
Add comment 25 kind: ServiceAccount
Add comment 26 metadata:
Add comment 27 Minus # GKE Workload Identity integration - map your k8s serviceaccount to a GCP serviceaccount with permissions to access GCP resources
Add comment 27 Plus name: NAME # XXX: Edit
Add comment 28 Plus namespace: NAME # XXX: Edit
Add comment 29 Plus
Add comment 30 Plus annotations:
Add comment 31 Plus # XXX: pick one of the below
Add comment 32 Plus
Add comment 33 Plus # ============================================================================ #
Add comment 34 Plus # A W S
Add comment 35 Plus # ============================================================================ #
Add comment 36 Plus
Add comment 37 Plus # AWS IRSA
Add comment 38 Plus
Add comment 39 Plus # XXX: Edit AW Account ID number 123456789012 + Role name MYAPP
Add comment 40 Plus eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/EKSIrsaMYAPP"
Add comment 41 Plus
Add comment 42 Plus # ============================================================================ #
Add comment 43 Plus # G K E
Add comment 44 Plus # ============================================================================ #
Add comment 45 Plus
Add comment 46 Plus # GKE Workload Identity integration
Add comment 47 Plus
Add comment 48 Plus # - map your k8s serviceaccount to a GCP serviceaccount with permissions to access GCP resources
Add comment 49 Plus # - you'll also need to grant GCP IAM permissions for the k8s SA to use the GCP SA:
Add comment 28 50 #
Add comment 29 Minus # you'll also need to grant GCP IAM permissions for the k8s SA to use the GCP SA:
Add comment 30 51 # XXX: Edit or Set env vars: $CLOUDSDK_CORE_PROJECT, $K8_NAMESPACE, $K8_SA, $GSA
Add comment 31 52 #
Add comment 32 53 # gcloud iam service-accounts add-iam-policy-binding --role roles/iam.workloadIdentityUser --member "serviceAccount:$CLOUDSDK_CORE_PROJECT.svc.id.goog[$K8_NAMESPACE/$K8_SA]" "$GSA@$CLOUDSDK_CORE_PROJECT.iam.gserviceaccount.com"
Add comment 33 Minus #
Add comment 34 Minus annotations:
Add comment 35 Minus # XXX: AWS IRSA - Edit AW Account ID number 123456789012 + Role name MYAPP
Add comment 36 Minus eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/EKSIrsaMYAPP"
Add comment 37 Minus # XXX: GKE Workload Identity - Edit SERVICEACCOUNT + PROJECT_ID
Add comment 54 Plus
Add comment 55 Plus # XXX: Edit SERVICEACCOUNT + PROJECT_ID
Add comment 38 56 iam.gke.io/gcp-service-account: SERVICEACCOUNT@PROJECT_ID.iam.gserviceaccount.com
Add comment 39 Minus # XXX: Azure Workload Identity - Edit client + tenant id
Add comment 57 Plus
Add comment 58 Plus # ============================================================================ #
Add comment 59 Plus # A K S
Add comment 60 Plus # ============================================================================ #
Add comment 61 Plus
Add comment 62 Plus # Azure Workload Identity
Add comment 63 Plus
Add comment 64 Plus # XXX: Edit client + tenant id
Add comment 40 65 azure.workload.identity/client-id: 1a2bcd34-xxxx-xxxx-xxxx-567e890f123a
Add comment 41 66 azure.workload.identity/tenant-id: 1a23b45c-xxxx-xxxx-xxxx-6de7f890a1b2
Add comment 42 Minus name: NAME
Add comment 43 Minus namespace: NAME
Add comment 44 67 #
Add comment 45 68 # XXX: you may want this set to true for app to access it inside the container at /var/run/secrets/kubernetes.io/serviceaccount/token
Add comment 46 69 automountServiceAccountToken: false