3

I enabled the workload identity feature for my GKE cluster and it works fine.

I have no issues accessing gcloud commands with the right IAM permissions for the Google Cloud service account, however I am unsure how I could use gsutil commands inside a kubernetes pod when workload_identity is enabled.

Basically my question is, when workload_identity is enabled, is there a way to use gsutil ?

I see this error when use gsutil inside my pod

You are attempting to access protected data with no configured credentials. Please visit https://cloud.google.com/console#/project and sign up for an account, and then run the "gcloud auth login" command to configure gsutil to use these credentials.

How can we allow gsutil use gcloud credentials ?

Varunkumar Manohar
  • 887
  • 3
  • 11
  • 29
  • Try running `gsutil --debug ls gs://` to get some more info on why the command is failing. – dward Jun 27 '19 at 00:08
  • The standalone gsutil seem to have issues with getting credentials from instance metadata (workload identity or otherwise). You might have to use the full set of gcloud sdk to make it work with workload identity. – Lawliet Feb 26 '20 at 04:44
  • Does this answer your question? [Authenticating standalone gsutil in containers in Cloud ML Engine on Kubernetes with Workload Identity](https://stackoverflow.com/questions/61385090/authenticating-standalone-gsutil-in-containers-in-cloud-ml-engine-on-kubernetes) – Michał Łazowik May 21 '20 at 01:36

2 Answers2

0

gsutil doesn't support workload identity. An alternative is:

gcloud alpha storage cp
Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77
Eric Butler
  • 1
0

When installing standalone, I didn't succeed to get gsutil to work with workload identity. However, if you install it as part of Google Cloud CLI package it worked like a charm.

As stated above gcloud alpha storage cp will do the work, however, upload is much slower if you are using multithreading (-m option).

SiniG
  • 21
  • 4