At Google Cloud, we work to continually improve our platform’s security capabilities to deliver the most trusted cloud. As part of this goal, we’re helping our users move away from less secure authentication methods such as long-lived, unauditable, service account keys towards more secure alternatives when authenticating to Google Cloud APIs and services.
In the context of Kubernetes workloads, there have been three ways users can do this:
-
Export credentials and mount as a secret in the Pod at runtime. This is done using service account keys but could be a security risk if the keys are not managed correctly.
-
Use the worker node identity or credential, such as the node service account. The security issue is that the credential is shared by all workloads deployed on that node. This can result in over-provisioning of permissions, which violates the principle of least privilege and is not recommended for multi-tenant clusters nor microservices in general.
-
Use GKE Workload Identity, which allows you to grant access to Cloud APIs using OpenID Connect without needing manual configuration or less secure methods like the aforementioned options.
The preferred option has been to use GKE Workload Identity. Earlier this year, we renamed it Workload Identity Federation for GKE, and rolled out a significant update that made it even easier to use. The update also enabled deeper integration into Google Cloud’s IAM platform. Here’s what you need to know about the changes.
