Created
February 14, 2020 04:28
-
-
Save EronWright/039192b4e7a4e53828cda0e76e3a0498 to your computer and use it in GitHub Desktop.
Pulumi example for GKE Workload Identity
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Creates a GCP service account named 'test-workload-identity' to be used | |
| by a GKE workload using a Kubernetes service account named 'default/default'. | |
| */ | |
| import * as pulumi from "@pulumi/pulumi"; | |
| import * as gcp from "@pulumi/gcp"; | |
| const gcpConfig = new pulumi.Config("gcp"); | |
| const projectId = gcpConfig.get("project"); | |
| const ksa = "default/default"; | |
| const gsaName = "test-workload-identity"; | |
| const gsa = new gcp.serviceAccount.Account(gsaName, { | |
| accountId: gsaName, | |
| displayName: "An account for testing the GKE workload identity feature", | |
| }); | |
| const binding = new gcp.serviceAccount.IAMBinding(`${gsaName}:${ksa}`, { | |
| serviceAccountId: pulumi.interpolate `projects/${projectId}/serviceAccounts/${gsa.email}`, | |
| members: [`serviceAccount:${projectId}.svc.id.goog[${ksa}]`], | |
| role: "roles/iam.workloadIdentityUser" | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
you got a typo in
serviceAccount, it must be:new gcp.serviceaccount.IAMBindingnotice account must be lowercase. Anyway, thank you so mush, this is exactly what I was looking for.