Workload Identity Configuration¶
This Terraform module configures workload identity federation for Google Kubernetes Engine (GKE). The module offers the flexibility to utilize an existing IAM service account, Kubernetes service account, and Kubernetes namespace, or create new ones as needed.
Examples¶
module "wid" {
source = "github.com/GoogleCloudPlatform/applied-ai-engineering-samples//ai-infrastructure/terraform-modules/workload-identity"
cluster_name = "gke-cluster"
location = "us-central1"
project_id = "project-id"
wid_sa_name = "iam-wid-sa"
wid_sa_roles = ["storage.objectAdmin", "logging.logWriter"]]
ksa_name = "wid-ksa"
namespace = "wid-namespace"
}
Input variables¶
| Name | Description | Type | Required | Default |
|---|---|---|---|---|
| project_id | The project ID | string |
✓ | |
| cluster_name | The name of a GKE cluster | string |
✓ | |
| location | The location of a GKE cluster | string |
✓ | |
| namespace | The name of a Kubernetes namespace | string |
✓ | |
| namespace_create | Whether to create a new namspace | bool |
true |
|
| ksa_name | The name of a Kubernetes service account | string |
✓ | |
| kubernetes_service_account_create | Whether to create a new Kubernetes service account | bool |
true |
|
| wid_sa_name | The name of an IAM service account | string |
✓ | |
| wid_sa_roles | The list of IAM roles to assign to the IAM service account | list(strings) |
✓ | |
| google_service_account_create | Whether to create a new IAM service account | bool |
true |
Outputs¶
| Name | Description |
|---|---|
| wid_sa_email | The email of the IAM service account |
| wid_sa_name | The name of the IAM service account |
| namespace | The name of the Kubernetes namespace |
| ksa_name | The name of the Kubernetes service account |
| created_resources | The IDs of newly created resources |