Setting up Workload Identity on GKE per service/namespace

Workload Identity on Google Kubernetes Engine allows you to access Google Cloud services directly from a container in a Pod. This works by binding the Kubernetes Service Account to the Google Cloud Service Account, which visually looks confusing since they both have a very similar format as email addresses!

The Google Cloud documentation for Workload Identity is a little abstract, so I’ve provided some code snippets for the Terraform required to create the Google Cloud Service Account and allow it to be used by a Kubernetes Service Account in GKE.

You can test whether this works as expected by spinning up a Pod that uses the Kubernetes Service Account that can bind to the Google Cloud Service Account that has Workload Identity enabled.

If you shell into the running Pod (or execute the command remotely) you can see whether the Google Cloud Metadata service sees the correct identity. If so then any of the Google Cloud managed services should be available to any Pod using that Kubernetes Service Account, depending on the IAM roles and permissions you specify in Google Cloud itself.

# Check the Kubernetes Service Account name of the test Pod
$ kubectl describe pod workload-identity-test | grep "Service Account"

# Should be the name of the Kubernetes Service Account
Service Account:  my-service-gke-serviceaccount

# Shell into the test Pod
$ kubectl exec -it workload-identity-test -- /bin/bash

# Query the Google Cloud Metadata service to see what IAM identity it thinks you have
$ root@workload-identity-test:/# curl -H "Metadata-Flavor: Google" \

# Should return the Google Cloud Service Account email address
# (not the Kubernetes Service Account email address)

Add comment