Using Workload Identity on GKE

30 minutes
  • 4 Learning Objectives

About this Hands-on Lab

Running workloads with their own unique service identity in GCP allows you to exercise the security principle of least privilege: granting only the granular permissions required by a workload, and limiting the blast radius should it become compromised. With GKE Workload Identity, Kubernetes service accounts can be mapped to GCP service accounts to enable service identity authorization for requests to Google APIs and other services. In this lab, we will create a secret Cloud Run service and then map a service account to allow a GKE workload to access it.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Deploy the Secret Service to Cloud Run
  1. Inside your GCP console, activate the Cloud Shell. Then enable the required APIs for this lab.

  2. Then clone the GitHub repo.

  3. From the gke-workload-identity/secret-service directory inside the repo, build the Secret Service container, replacing <YOUR_PROJECT_ID> with your own project ID.

  4. Now deploy the container to Cloud Run, again substituting your project ID. When the service is deployed, try accessing the URL. You should receive a Forbidden message as you do not have permission to access the service without the correct identity.

Create the GKE Cluster with Workload Identity
  1. Select Kubernetes Engine from the GCP menu, and click Create to create a new cluster.
  2. Select Standard if you are prompted to choose between Standard and Autopilot.
  3. Under Node Pools > default-pool, change the number of nodes to 1.
  4. Under Cluster > Security, tick the box to Enable Workload Identity.
  5. Click Create to create the cluster.
  6. When the cluster is ready, click the 3 dots Action menu on the Clusters page and select Connect. Then select Run in Cloud Shell to set up kubectl in your Cloud Shell Terminal.
Configure Service Accounts and IAM

In all of the following instructions, substitute <YOUR_PROJECT_ID> with your own project ID.

  1. Create a service account for your Secret Agent workload.

  2. Create an IAM policy to allow the Secret Agent service account to invoke the Secret Service in Cloud Run.

  3. Change into the gke-workload-identity/secret-agent directory and create the Kubernetes service account for the Secret Agent workload.

  4. Allow the Kubernetes service account to impersonate the Google service account by creating an IAM policy binding between the two.

  5. Annotate the Kubernetes service account to complete the mapping.

Deploy the Secret Agent workload to GKE

In all of the following instructions, substitute <YOUR_PROJECT_ID> with your own project ID.

  1. Create some environment variables for the workload. Check the environment variables have been set correctly to your project ID and Cloud Run service URL respectively:

  2. From within the gke-workload-identity/secret-agent directory, create the agent Pod manifest.

  3. Build the Secret Agent container.

  4. Deploy the Secret Agent Pod to GKE. Once the Pod is in a Running state, you should be able to observe that it can successfully connect to the Secret Service Cloud Run service by viewing its logs.

    The agent contacts the secret service every 5 seconds and logs the results to STDOUT. It uses the GCP metadata server to generate a valid JWT token in order to identify itself as the service account you created earlier. This service account, and only this service account, is permitted to invoke the Cloud Run service.

    Note that the JWT token generated by the agent workload will expire after an hour, after which the Pod will log a Forbidden error, which is expected.

Additional Resources

To get started, log in to Google Cloud Platform by opening https://console.cloud.google.com/ in a private browser window. Then sign in using the credentials provided on the lab page.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?