1

I am fairly new to cloud and GCP. So, we have an application which uses pub sub, cloud storage, cloud sql and secret manager. This is deployed using helm chart. All services uses different service account. So to avoid keeping json keys for these services, I tried using workload identities. Hence, I created a KSA and bound it to cloud sql service account. And I am able to provide that KSA name in helm ServiceAccountName field and is working fine without providing key for cloud sql Service account. But for rest of services, I am still using key. So my question, can we annotate/bind same KSA to other service account. Or is there someway to let services know which SA they need to used for authentication? Using default credentials for all services is not an option here. I could not get much info about one ksa for multiple GSA. Appreciate your clarification on above. Application is in built on springboot.

I am kind of clueless, as how can I provide two service account for same KSA in workload identities terraform script.

ankit_
  • 11
  • 3

1 Answers1

2

It's a 1-m to 1 relation: 1 to many KSA for 1 GSA.

In fact, a good practice is to have 1 KSA per service. Then bind the GSA on the KSA according to the permission required by your service.

If 2 services have the same permission (and you want to reuse the existing GSA (because your are limited to 100 GSA per project)), you can point your 2 KSA (one per service) to the same GSA.

A K8S service can have only one KSA defined on it.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • So , umm just for clarification,I can jave one KSA and then annotate with more than one GSA(say one gsa for cloudsql ,other for bucket) – ankit_ Apr 07 '23 at 07:34
  • No, you can't. Annotation are a map of key value. For the same key, you can have only 1 value. So, when you annotate your KSA, you can't provide more that 1 GSA for the key `iam.gke.io/gcp-service-account` (set 7 here https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to) and here the K8S annotation structure: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ – guillaume blaquiere Apr 07 '23 at 08:32
  • Thank you !! I am much clear now that I need provide granular roles and permission to 1 GSA, and only that should be mapped to ksa – ankit_ Apr 07 '23 at 12:35