How to bind a K8s ServiceAccount to a Google Service Account with ConfigConnector

Question

I'd like to define a Kubernetes ServiceAccount bound to a Google ServiceAccount in a Helm chart as the first step, and later use that service account in the specification of Kubernetes pods.

Here's what I've tried, I define the Kubernetes service account, then the Google Service account and finally try to bind both:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Release.Name }}
  namespace: {{ .Release.Namespace }}
  annotations:
    iam.gke.io/gcp-service-account: {{ printf "%s@%s.iam.gserviceaccount.com" .Release.Name .Values.gcp.project }}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: {{ .Release.Name }}
  namespace: {{ .Release.Namespace }}
---
# https://cloud.google.com/config-connector/docs/reference/resource-docs/iam/iampolicymember
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: {{ .Release.Name }}
  namespace: {{ .Release.Namespace }}
spec:
  member: {{ printf "serviceAccount:%s@%s.iam.gserviceaccount.com" .Release.Name .Values.gcp.project }}
  role: roles/iam.workloadIdentityUser
  resourceRef:
    apiVersion: v1
    kind: ServiceAccount
    name: {{ .Release.Name }}
    namespace: {{ .Release.Namespace }}

The helm chart deployed to a GKE cluster which has WorkloadIdentity enabled returns the following error

Error: UPGRADE FAILED: failed to create resource: admission webhook "iam-validation.cnrm.cloud.google.com" denied the request: resource reference for kind 'ServiceAccount' must include API group

Basically what I'm trying to do is the ConfigConnector equivalent of

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:<YOUR-GCP-PROJECT>.svc.id.goog[<YOUR-K8S-NAMESPACE>/<YOUR-KSA-NAME>]" \
  <YOUR-GSA-NAME>@<YOUR-GCP-PROJECT>.iam.gserviceaccount.com

which I got from https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#gsa

It looks like you cannot use `ServiceAccount` inside `IAMPolicyMember`. Do you need to create GCP resources inside your apps? Maybe you can use your SA without binding since config connector is a bunch of CRD. — loki, Jun 09 '21 at 01:08

score 0 · Answer 1 · answered Jun 11 '21 at 15:20

Here is a way to bind a Kubernetes service account to a Google Service account with Config Connector:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Release.Name }}
  namespace: {{ .Release.Namespace }}
  annotations:
    iam.gke.io/gcp-service-account: {{ printf "%s@%s.iam.gserviceaccount.com" .Release.Name .Values.gcp.project }}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: {{ .Release.Name }}
  namespace: {{ .Release.Namespace }}
spec:
  displayName: {{ .Release.Name }}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: {{ .Release.Name }}
  namespace: {{ .Release.Namespace }}
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: {{ .Release.Name }}
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - {{ printf "serviceAccount:%s.svc.id.goog[%s/%s]" .Values.gcp.project .Release.Namespace .Release.Name }}

How to bind a K8s ServiceAccount to a Google Service Account with ConfigConnector

1 Answers1