GKE Workload Identity

Configure GKE Workload Identity for Spice.ai on Google Kubernetes Engine.

GKE Workload Identity allows Spice.ai pods on Google Kubernetes Engine to authenticate as a Google Cloud service account for accessing GCP services (GCS, BigQuery, Secret Manager, etc.).

Configuration

Annotate the Spice ServiceAccount with the GCP service account email:

Helm Chart

serviceAccount:
  create: true
  annotations:
    iam.gke.io/gcp-service-account: [email protected]

SpicepodSet (Kubernetes Operator)

apiVersion: spice.ai/v1
kind: SpicepodSet
metadata:
  name: my-spicepod
spec:
  replicas: 1
  service_account:
    enabled: true
    create: true
    annotations:
      iam.gke.io/gcp-service-account: [email protected]
  spicepod: |
    name: my-spicepod
    kind: Spicepod
    version: v1

Prerequisites

Enable Workload Identity on your GKE cluster.
Create a GCP service account with the required IAM roles.
Bind the Kubernetes ServiceAccount to the GCP service account:

gcloud iam service-accounts add-iam-policy-binding \
  [email protected] \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:my-project.svc.id.goog[NAMESPACE/SERVICE_ACCOUNT_NAME]"

Last updated 22 days ago

Was this helpful?

hashtagConfiguration

hashtagHelm Chart

hashtagSpicepodSet (Kubernetes Operator)

hashtagPrerequisites

Configuration

Helm Chart

SpicepodSet (Kubernetes Operator)

Prerequisites