This page contains example configuration to configure the secrets-store-csi-driver-provider-gcp provider
with Fleet Workload Identity
authentication in environments configured for
Workload Identity Federation
outside of the Google Cloud.
Instead of the Google Service Account key file, it is possible to pass a Fleet Workload Identity configuration
JSON file to the process that needs authenticating to the Google API from the Kubernetes cluster configured for
the Workload Identity Federation. The secrets-store-csi-driver-provider-gcp provider pods are such processes
that need to authenticate to the Google Secret Manager API to provide access to the application secrets.
Such configuration file contains external_account type of credential and does not contain any secrets similar to the
Google Service Account key. The configuration should be passed via the GOOGLE_APPLICATION_CREDENTIALS
environment variable, which requires the file name of the file containing the configuration on
the pod's local file system.
A ConfigMap to host the contents of the configuration file for the GOOGLE_APPLICATION_CREDENTIALS environment variable
of pods on Kubernetes clusters, such as Anthos on Bare Metal clusters, that require accessing Google Cloud API using
Fleet Workload Identity can be created
like illustrated in the following snippet:
cat <<EOF | kubectl apply -f -
kind: ConfigMap
apiVersion: v1
metadata:
namespace: kube-system
name: default-creds-config
data:
config: |
{
"type": "external_account",
"audience": "identitynamespace:$FLEET_PROJECT_ID.svc.id.goog:https://gkehub.googleapis.com/projects/$FLEET_PROJECT_ID/locations/global/memberships/cluster1",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/GSA_NAME@GSA_PROJECT_ID.iam.gserviceaccount.com:generateAccessToken",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"file": "/var/run/secrets/tokens/gcp-ksa/token"
}
}
EOFPlease note, that the service_account_impersonation_url attribute in the snippet above is only necessary if you
link a Google Service Account with the Kubernetes Service account using iam.gke.io/gcp-service-account annotation
and roles/iam.workloadIdentityUser IAM role. Otherwise, please omit the attribute in the configuration.
Following snippet illustrates passing the ConfigMap with external_account credential to the
secrets-store-csi-driver-provider-gcp provider pods that needs Fleet Workload Identity Authentication
for accessing Google Secret Manager secrets using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
spec:
...
template:
...
spec:
...
containers:
- name: provider
image: gcr.io/$PROJECT_ID/secrets-store-csi-driver-provider-gcp:$GCP_PROVIDER_SHA
...
env:
...
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/run/secrets/tokens/gcp-ksa/google-application-credentials.json
volumeMounts:
...
- mountPath: /var/run/secrets/tokens/gcp-ksa
name: gcp-ksa
readOnly: true
...
volumes:
...
- name: gcp-ksa
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: $FLEET_PROJECT_ID.svc.id.goog
expirationSeconds: 172800
path: token
- configMap:
items:
- key: config
path: google-application-credentials.json
name: default-creds-config
optional: false