Solving Google GKE Autopilot permission denied to Cloud Storage, Datastore and other resources
Solving Google GKE Autopilot permission denied to Cloud Storage, Datastore and other resources
Autopilot is by default using Workload Identity.
Workload identity is Google's way of connecting IAM accounts to Kubernetes service accounts so we don't need to import JSON credentials into Kubernetes secrets any more.
What we need to do is allow Pods to authenticate to Google Cloud APIs.
- Enable Google Cloud APIs on your project
By default the namespace of Autopilot cluster is named default and the Kubernetes Service Accounts (KSA_NAME) name is default.
2. Allow the Kubernetes service account to impersonate IAM service account by adding an IAM policy binding between two services (find an IAM service account you'd like the GKE Autopilot to bind to).
PROJECT_IDyour google Project IDGSA_NAMEthe name of your IAM service accountGSA_PROJECTthe project ID of the Gogle cloud project of your IAM service accountKSA_NAMEthe name of the KSA (Kubernetes Service Account) which isdefaultin GKE AutopilotNAMESPACEwhich isdefaultin the GKE Autopilot
gcloud iam service-accounts add-iam-policy-binding GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]"3. Annotate the Kubernetes service account with the email address of the IAM service account.
kubectl annotate serviceaccount KSA_NAME --namespace NAMESPACE \ iam.gke.io/gcp-service-account=GSA_NAME@GSA_PROJECT.iam.gserviceaccount.comAnd voila. It should magically work now without any 403 Permission denied problems anymore.