To securely access Google Cloud APIs from CI/CD pipelines running on Google Kubernetes Engine (GKE), follow these steps:
Create Service Accounts:
Create individual service accounts for each CI/CD pipeline. This ensures isolation and minimal permissions per pipeline.
Use a naming convention that includes an identifier for each pipeline, such as pipeline-a-sa, pipeline-b-sa, etc.
Configure Kubernetes Service Accounts:
Create Kubernetes service accounts for each CI/CD pipeline pod.
Map Kubernetes Service Accounts to Google Service Accounts:
Use Workload Identity to associate Kubernetes service accounts with the corresponding Google service accounts. This allows the pods to authenticate to Google Cloud APIs securely.
Example command to bind the Kubernetes service account to the Google service account:
gcloud iam service-accounts add-iam-policy-binding \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:.svc.id.goog[/]" \ @.iam.gserviceaccount.com
Deploy CI/CD Pipelines:
Ensure each pipeline runs in dedicated pods that use the specific Kubernetes service accounts configured earlier.
This setup ensures that each pipeline has the necessary permissions to interact with Google Cloud APIs securely, adhering to the principle of least privilege.
References
Using Workload Identity
Managing Service Accounts
Submit