Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Binding Google Service Account with Kubernetes Cluster Service Account in GKE cluster across GCP projects

Tags:

google-cloud-platform

kubernetes

google-kubernetes-engine

I've built a Google Kubernetes Engine (GKE) cluster in a GCP project.

According to the different use cases of applications running on the cluster, I associated the applications with the different service accounts and the different granted permissions. To do so, I bound Google Service Account (GSA) with the Kubernetes Cluster Service Account (KSA) as follows:

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]" \
  GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

kubectl annotate serviceaccount \
  --namespace K8S_NAMESPACE \
  KSA_NAME \
  iam.gke.io/gcp-service-account=GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#option_2_node_pool_modification

Everything I have explained works normally.

Currently, there are many GKE clusters in different projects. Furthermore, the service accounts assigned with the applications are supposed to be created in the same project that hosts the GKE clusters. I am planning to do the GSA centralisation for KSA into one GCP project.

Questions

  1. Would it be possible to build a GKE cluster in a project and create a GSA for an application running on the GKE cluster in another project?

  2. If so, what roles do I have to grant the GSA associated with the GKE cluster? in order to access the GSAs in the other project and bind them with KSA.

Note: This thread is only about the Google Service Account (GSA) associated with the application running on a GKE cluster, not about the Google Service Account (GSA) associated with the GKE cluster.

And about how to bind Google Service Account (GSA) in a GCP project with Kubernetes Cluster Service Account (KSA) in the GKE cluster in another GCP project.

like image 729
E. S. Avatar asked Sep 07 '25 21:09

E. S.

1 Answers

This should be possible. You can definitely create service accounts in one project and attach them to resources in another project.

In the project which "hosts" your service account(s):

  • ensure that the iam.disableCrossProjectServiceAccountUsage constraint is NOT enforced for the project (this is done by updating the organization policy for the project)
  • I believe you will also need to grant roles/iam.serviceAccountTokenCreator to the GSA associated with each cluster as well.

See https://cloud.google.com/iam/docs/impersonating-service-accounts#attaching-different-project

like image 80
Gari Singh Avatar answered Sep 10 '25 19:09

Gari Singh
Sign in to Comment

Related questions

minkube dashboard command hangs on 'verifying proxy health'
'kubectl get namespace' command "namespaces is forbidden" error
Edit/Update a pod's yaml
Datadog: API Key invalid dropping transaction when installing Datadog agent
Helm3 : Overriding image tag value

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!