🌐 Google Cloud Platform (GCP) Intermediate

What is GCP Workload Identity?

Q: What is GCP Workload Identity?

Workload Identity is the recommended way for GKE workloads (pods) to authenticate to GCP services without managing service account keys. Instead of downloading and mounting JSON key files into pods (a security risk), Workload Identity binds a Kubernetes service account to a Google service account via an IAM binding. When the pod makes API calls using the Google Cloud client libraries, it automatically obtains short-lived tokens from the metadata server. Setup: enable Workload Identity on GKE clu

Answer

Workload Identity is the recommended way for GKE workloads (pods) to authenticate to GCP services without managing service account keys. Instead of downloading and mounting JSON key files into pods (a security risk), Workload Identity binds a Kubernetes service account to a Google service account via an IAM binding. When the pod makes API calls using the Google Cloud client libraries, it automatically obtains short-lived tokens from the metadata server. Setup: enable Workload Identity on GKE cluster, create a Google service account, create a Kubernetes service account, bind them: gcloud iam service-accounts add-iam-policy-binding with roles/iam.workloadIdentityUser. This eliminates the #1 GKE security risk: long-lived service account keys in container images or Kubernetes secrets.

What is Secret Manager in GCP?

What is Terraform with GCP?

More Google Cloud Platform (GCP) Questions

View all →

All Google Cloud Platform (GCP) Questions Browse All Topics