vadirajks/gke_workload_identity.sh

## gke_workload_identity.sh
#!/bin/bash
#https://medium.com/@rakeshsaw/workload-identity-secured-way-to-access-google-cloud-apis-from-gke-workloads-44882ec5036a
#https://luandy-4171.medium.com/how-does-gke-workload-identify-work-with-iam-service-account-b996656284f8
#https://stackoverflow.com/questions/75948510/access-to-google-cloud-storage-from-an-autopilot-gke-cluster
#https://bijukunjummen.medium.com/gke-autopilot-and-workload-identity-a2732cf256de
#https://docs.ray.io/en/latest/cluster/kubernetes/user-guides/gke-gcs-bucket.html
# Set variables
CLUSTER_NAME="<YOUR_CLUSTER_NAME>"
PROJECT_ID="<YOUR_PROJECT_ID>"
NAMESPACE="default"  # Change if your workloads are deployed in a different namespace
YOUR_CLUSTER_ZONE="<ZONE>"
GSA_NAME="<GSA_NAME>"
KSA_NAME="<KSA_NAME>"

# Create Google Service Account (GSA)
gcloud iam service-accounts create ${GSA_NAME} --project=${PROJECT_ID}

# Assign roles to the GSA
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
    --member=serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
    --role=roles/storage.admin,roles/storage.objectViewer

# Create Kubernetes Service Account (KSA)
kubectl create serviceaccount ${KSA_NAME} --namespace ${NAMESPACE}

# Enable Workload Identity for the GKE cluster
gcloud container clusters update ${CLUSTER_NAME} --workload-identity --zone=${YOUR_CLUSTER_ZONE}

# Associate Kubernetes service account with IAM service account
gcloud iam service-accounts add-iam-policy-binding ${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
    --member="serviceAccount:${PROJECT_ID}.svc.id.goog[${NAMESPACE}/${KSA_NAME}]" \
    --role=roles/iam.workloadIdentityUser

# Verify Workload Identity configuration
gcloud iam service-accounts get-iam-policy ${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com --project=${PROJECT_ID}
	#!/bin/bash
	#https://medium.com/@rakeshsaw/workload-identity-secured-way-to-access-google-cloud-apis-from-gke-workloads-44882ec5036a
	#https://luandy-4171.medium.com/how-does-gke-workload-identify-work-with-iam-service-account-b996656284f8
	#https://stackoverflow.com/questions/75948510/access-to-google-cloud-storage-from-an-autopilot-gke-cluster
	#https://bijukunjummen.medium.com/gke-autopilot-and-workload-identity-a2732cf256de
	#https://docs.ray.io/en/latest/cluster/kubernetes/user-guides/gke-gcs-bucket.html
	# Set variables
	CLUSTER_NAME="<YOUR_CLUSTER_NAME>"
	PROJECT_ID="<YOUR_PROJECT_ID>"
	NAMESPACE="default" # Change if your workloads are deployed in a different namespace
	YOUR_CLUSTER_ZONE="<ZONE>"
	GSA_NAME="<GSA_NAME>"
	KSA_NAME="<KSA_NAME>"

	# Create Google Service Account (GSA)
	gcloud iam service-accounts create ${GSA_NAME} --project=${PROJECT_ID}

	# Assign roles to the GSA
	gcloud projects add-iam-policy-binding ${PROJECT_ID} \
	--member=serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
	--role=roles/storage.admin,roles/storage.objectViewer

	# Create Kubernetes Service Account (KSA)
	kubectl create serviceaccount ${KSA_NAME} --namespace ${NAMESPACE}

	# Enable Workload Identity for the GKE cluster
	gcloud container clusters update ${CLUSTER_NAME} --workload-identity --zone=${YOUR_CLUSTER_ZONE}

	# Associate Kubernetes service account with IAM service account
	gcloud iam service-accounts add-iam-policy-binding ${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
	--member="serviceAccount:${PROJECT_ID}.svc.id.goog[${NAMESPACE}/${KSA_NAME}]" \
	--role=roles/iam.workloadIdentityUser

	# Verify Workload Identity configuration
	gcloud iam service-accounts get-iam-policy ${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com --project=${PROJECT_ID}