Skip to content

Latest commit

 

History

History
 
 

workload-identity

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
output.tf
output.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

terraform-google-workload-identity

Workload Identity is the recommended way to access GCP services from Kubernetes.

This module creates:

  • GCP Service Account
  • IAM Service Account binding to roles/iam.workloadIdentityUser
  • Optionally, a Kubernetes Service Account

Usage

The terraform-google-workload-identity can create a kubernetes service account for you, or use an existing kubernetes service account.

Creating a Workload Identity

module "my-app-workload-identity" {
  source     = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  name       = "my-application-name"
  namespace  = "default"
  project_id = "my-gcp-project-name"
  roles = ["roles/storage.Admin", "roles/compute.Admin"]
}

This will create:

  • GCP Service Account named: [email protected]
  • Kubernetes Service Account named: my-application-name in the default namespace
  • IAM Binding (roles/iam.workloadIdentityUser) between the service accounts

Usage from a kubernetes deployment:

metadata:
  namespace: default
  # ...
spec:
  # ...
  template:
    spec:
      serviceAccountName: my-application-name

Using an existing Kubernetes Service Account

An existing kubernetes service account can optionally be used. When using an existing k8s servicea account the annotation "iam.gke.io/gcp-service-account" must be set.

resource "kubernetes_service_account" "preexisting" {
  metadata {
    name = "preexisting-sa"
    namespace = "prod"
  }
}

module "my-app-workload-identity" {
  source    = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  use_existing_k8s_sa = true
  name                = "preexisting-sa"
  namespace           = "prod"
  project_id          = var.project_id
}

Inputs

Name Description Type Default Required
annotate_k8s_sa Annotate the kubernetes service account with 'iam.gke.io/gcp-service-account' annotation. Valid in cases when an existing SA is used. bool true no
automount_service_account_token Enable automatic mounting of the service account token bool false no
cluster_name Cluster name. Required if using existing KSA. string "" no
impersonate_service_account An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. string "" no
k8s_sa_name Name for the existing Kubernetes service account string null no
location Cluster location (region if regional cluster, zone if zonal cluster). Required if using existing KSA. string "" no
name Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. string n/a yes
namespace Namespace for k8s service account string "default" no
project_id GCP project ID string n/a yes
roles (optional) A list of roles to be added to the created Service account list(string) [] no
use_existing_k8s_sa Use an existing kubernetes service account instead of creating one bool false no

Outputs

Name Description
gcp_service_account GCP service account.
gcp_service_account_email Email address of GCP service account.
gcp_service_account_fqn FQN of GCP service account.
gcp_service_account_name Name of GCP service account.
k8s_service_account_name Name of k8s service account.
k8s_service_account_namespace Namespace of k8s service account.