Kubernetes Workload Identity Simplified

Kubernetes Workload Identity machine identity non-human identity
AbdelRahman Magdy
AbdelRahman Magdy

Security Research Analyst

 
June 3, 2025 3 min read

Kubernetes Workload Identity

Kubernetes is a pretty neat tool for managing all your containerized apps, right? But, like, keeping track of who's who, especially for stuff like your workloads that aren't people, can get kinda messy. That's where Kubernetes Workload Identity swoops in to save the day. Let's break it down, no biggie.

What is Kubernetes Workload Identity?

Basically, Kubernetes Workload Identity lets you connect your Kubernetes service accounts to Google Cloud service accounts. (Authenticate to Google Cloud APIs from GKE workloads) This means your workloads can get to Google Cloud resources without you having to mess around with and hand out static credentials.

Why Use Workload Identity?

How Does It Work?

Key Components

  1. Kubernetes Service Account: This is like an identity for a workload running in your Kubernetes cluster.
  2. Google Cloud Service Account: This one gives you access to Google Cloud resources.
  3. Identity Binding: This is the crucial part that links your Kubernetes service account to the Google Cloud one.

Steps to Set Up Kubernetes Workload Identity

  1. Create a Google Cloud Service Account:

    • Head over to the Google Cloud Console.
    • Make a new service account and give it the permissions it needs.

  2. Create a Kubernetes Service Account:

    • Use kubectl to create a service account in your cluster:
      kubectl create serviceaccount my-k8s-sa

  3. Bind the Service Accounts:

    • This is where you use IAM to connect your Kubernetes service account to the Google Cloud one. You'll run a command like this:
      gcloud iam service-accounts add-iam-policy-binding [GCP_SA_EMAIL] \
--member=serviceAccount:[PROJECT_ID].svc.id.goog[[YOUR_NAMESPACE].my-k8s-sa] \
--role=roles/iam.workloadIdentityUser
      • Here, [GCP_SA_EMAIL] is the email address of the Google Cloud Service Account you just made.
      • [PROJECT_ID] is your Google Cloud project ID.
      • And [YOUR_NAMESPACE] is the Kubernetes namespace where your workload will be running.

  4. Update Your Workload to Use the Kubernetes Service Account:

    • You gotta tell your deployment to use that service account. Edit your deployment YAML:
      apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
spec:
  template:
    spec:
      serviceAccountName: my-k8s-sa

  5. Access Google Cloud Services:

    • Now, your application can grab Google Cloud resources using the credentials from the linked Google Cloud service account. For example, your application code might use a Google Cloud client library, and it'll automatically pick up the credentials. It's pretty slick, like this (just a snippet, mind you):
      from google.cloud import storage


      The client library automatically uses Workload Identity credentials
      storage_client = storage.Client()
      bucket = storage_client.bucket("your-gcs-bucket-name")
      blob = bucket.blob("your-file-name.txt")
      blob.upload_from_string("Hello, Workload Identity!")

Real-Life Example

Picture this: you've got an app running in Kubernetes, and it needs to, say, upload a file to Google Cloud Storage. Instead of dealing with some static key file that you have to manage, you set up Workload Identity. Your app just talks to Google Cloud Storage like it's no big deal, using those short-lived tokens that are tied to its service account.

Comparison: Workload Identity vs. Static Credentials

Feature Workload Identity Static Credentials
Security High (short-lived tokens) Low (long-lived tokens)
Management Automated lifecycle Manual management
Access Control Fine-grained IAM roles Limited IAM roles

With Workload Identity, the Google Cloud Service Account you link can be granted specific IAM roles, giving you really precise control over what your workload can and can't do in Google Cloud.

Key Takeaways

  • Kubernetes Workload Identity is pretty essential for handling identities for your non-human workloads in Kubernetes.
  • It really beefs up security and makes it way simpler for workloads to access cloud resources.
  • Setting it up involves creating service accounts, binding them effectively, and updating your workload configuration to use the right Kubernetes service account.

Diagram 1

AbdelRahman Magdy
AbdelRahman Magdy

Security Research Analyst

 

AbdelRahman (known as Abdou) is Security Research Analyst at the Non-Human Identity Management Group.

Related Articles

Non Human Identity

Best Practices for Operating Systems in Modern Development

Explore best practices for securing operating systems in modern development environments, focusing on non-human identity management, access control, and automation.

By AbdelRahman Magdy November 21, 2025 11 min read
Read full article
server optimization

Server Setup Guide: Best Practices for Storage and Optimization

Optimize your server setup with our guide on storage solutions and performance tweaks. Learn best practices for NHI management, hardware tuning, and database optimization.

By AbdelRahman Magdy November 19, 2025 6 min read
Read full article
Non Human Identity

Building Guest Operating Systems on Real-Time Platforms

Explore building guest operating systems on real-time platforms with a focus on non-human identity (NHI) security, workload identity, and machine identity management.

By AbdelRahman Magdy November 17, 2025 14 min read
Read full article
SOC reports

Understanding SOC Reports and Their Importance

Learn about SOC reports, their types, and why they are crucial for securing non-human identities (NHIs), machine identities, and workloads. Understand how to interpret SOC reports for better security and compliance.

By AbdelRahman Magdy November 14, 2025 12 min read
Read full article