Stack Overflow
Stack Overflow

Questions tagged [workload-identity]

66 questions
6
votes
3 answers

GCP workload identity federation - Github provider - 'Unable to acquire impersonated credentials'

I've followed these instructions to the letter to allow me to use the short lived token authentication method to access gcloud resources from our github actions workflow. I've created the service account, workload identity pool and github provider…
sc-leeds
  • 399
  • 3
  • 15
6
votes
1 answer

What is the location argument of GCP workload identity pools

According to the documentation: an example of creating an identity pool would be gcloud iam workload-identity-pools create my-workload-identity-pool --location="global" --display-name="My workload pool" --description="My workload pool description"…
David Michael Gang
  • 7,107
  • 8
  • 53
  • 98
5
votes
1 answer

Workload Identity & Service Accounts for Composer 2 / GKE Autopilot Cluster PodOperator tasks

I'm trying to run GKEStartPodOperator/KubernetesPodOperator tasks in a Composer 2 environment, which makes use of a GKE cluster in autopilot mode. We have an existing Composer 1 environment with a GKE cluster not in autopilot mode. Our tasks that…
Ian
  • 197
  • 1
  • 9
4
votes
0 answers

Gmail API and workload identity federation with AWS and Google Cloud

I'm looking to integrated with the Gmail API and want to use a service user with domain-wide delegation to request data on behalf of users in Google Workspaces. My code is running in EC2 in AWS. Reading through the docs it seems best practice is to…
user3766476
  • 155
  • 1
  • 6
4
votes
0 answers

Can GKE Workload Identity be used with Domain Wide Delegation?

We've been using the Google Directory API to get the profile of our users, on an internal app. When we authenticate, we've been using a json keyfile for a service and the google-auth-library JWT class. The service account has Domain Wide Delegation…
ddek
  • 111
  • 1
  • 4
4
votes
1 answer

Google artifact regitsry NPM + github action

I'm trying to publish a npm package on GAR (Google Artifact Registry) through github using google-github-actions/auth@v0 and google-artifactregistry-auth For the authentication to google from github here is what I did to use the Federation Workload…
magento2-users
  • 127
  • 9
4
votes
2 answers

How to Specify ServiceAccountName for Pods in GKE Deployment.YAML

I've configured my cluster and node pools for Workload Identity (https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) but in order to get it to work, I need to also make my pods use the kubernetes service account I created for…
user1477388
  • 20,790
  • 32
  • 144
  • 264
3
votes
2 answers

Does enabling "workload identity" in an existing gke and nodepool has any downtime?

I don't seem to find any documentation mentioning if there would be any downtime when a gke cluster is edited to activate workload identity. I would like to know if there is any downtime while enabling it in an existing cluster while enabling it in…
Baskar Lingam Ramachandran
  • 617
  • 9
  • 25
3
votes
1 answer

Support for wildcards with Workload Identity Federation

I am currently testing this Github Action to authenticate with gcloud resources using Workload Identity Federation. I created a Workload Identity Provider with a custom repository_ref attribute mapping both the Github repository and branch from…
Francois Leroux
  • 31
  • 4
2
votes
3 answers

"default_secret_name" is no longer applicable for Kubernetes v1.24.0 and above

I'm using Terraform workload-identity module , to create Kubernetes service account in Google Cloud. When i apply the changes, I'm getting below warning. "default_secret_name" is no longer applicable for Kubernetes v1.24.0 and above │ │ …
user2439278
  • 1,222
  • 7
  • 41
  • 75
2
votes
1 answer

Attribute mappings in configuring workload identity federation between GCP and GitHub

I am trying to wrap my head around this new topic, given that there are still too few examples out there and the documentation is rather obscure. I am trying to reverse engineer this repo. What I want to understand is the way we inform GCP that OIDC…
pkaramol
  • 16,451
  • 43
  • 149
  • 324
2
votes
1 answer

GCP terraform-google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: unknown credential type: "external_account"

Using GCP workload identity I am not able to provision a GKE cluster by terraform from Github action. Here is my workflow file of the GitHub action: name: Infrastructure provisions jobs: provision_gkes: permissions: …
ARINDAM BANERJEE
  • 659
  • 1
  • 8
  • 29
2
votes
1 answer

GCP IAM Permission - Service Account not able to have permission

In order to implement CI pipeline from github to gcp, I have configured workload identity. SERVICE_ACCOUNT="xyz" PROJECT_ID="ABC" Service account created by the command: gcloud iam service-accounts create "${SERVICE_ACCOUNT}" \ …
ARINDAM BANERJEE
  • 659
  • 1
  • 8
  • 29
2
votes
0 answers

Gmail api with workload identity federation

I have created a workload identity pool with a third-party (auth0) provider. I have configured my service account with a domain-wide delegation and have enabled GMAIL API as well. I could generate STS token successfully but while executing mail…
knucklehead
  • 21
  • 2
2
votes
0 answers

Formats for Attribute Mapping & Attribute Conditioning in the Workload identity

I have created an Oauth Server and defined custom scope and claims in the configuration. On the access token (JWT), I see scope is being defined as "scp": [ "default_google_scope" ] I am trying to set an integration between OIDC and GCP…
PiaklA
  • 495
  • 2
  • 7
  • 21
1
2 3 4 5