add support for authentication without GCP Service Account#88
add support for authentication without GCP Service Account#88nazarewk wants to merge 3 commits intopfnet-research:mainfrom
Conversation
|
Could probably use some additional tests, I have tested it empirically by using on a live cluster. |
|
|
||
| # optional: Defaults to value inside `service-account-email` | ||
| # | ||
| cloud.google.com/project: "12345" |
There was a problem hiding this comment.
It's not obvious whether this needs to be the project ID or the project Number.
If it's normally parsed out of the SA then it seems it should be the Project ID, but the example here has a number?!
Unless "SA" means Kubernetes SA, and the project number is parsed out of workload identity provider annotation?
Either way, it would be clearer if the annotation name was explicit (e.g. projectID or projectNumber)
There was a problem hiding this comment.
I am not sure whether it matters. I'm not working with GCP for a while already so I can't test, but I remember most of the tools calling the field project and accepting both numerical IDs and project names.
3 participants
For some unknown time GCP WIF can be used directly to access any kind of GCP resources without impersonating Service Account, this PR implements this flow.
fixes #87