Kubernetes Workload Identity Simplified

Kubernetes Workload Identity machine identity non-human identity
AbdelRahman Magdy
AbdelRahman Magdy

Security Research Analyst

 
June 3, 2025 3 min read

Kubernetes Workload Identity

Kubernetes is a pretty neat tool for managing all your containerized apps, right? But, like, keeping track of who's who, especially for stuff like your workloads that aren't people, can get kinda messy. That's where Kubernetes Workload Identity swoops in to save the day. Let's break it down, no biggie.

What is Kubernetes Workload Identity?

Basically, Kubernetes Workload Identity lets you connect your Kubernetes service accounts to Google Cloud service accounts. (Authenticate to Google Cloud APIs from GKE workloads) This means your workloads can get to Google Cloud resources without you having to mess around with and hand out static credentials.

Why Use Workload Identity?

How Does It Work?

Key Components

  1. Kubernetes Service Account: This is like an identity for a workload running in your Kubernetes cluster.
  2. Google Cloud Service Account: This one gives you access to Google Cloud resources.
  3. Identity Binding: This is the crucial part that links your Kubernetes service account to the Google Cloud one.

Steps to Set Up Kubernetes Workload Identity

  1. Create a Google Cloud Service Account:

    • Head over to the Google Cloud Console.
    • Make a new service account and give it the permissions it needs.

  2. Create a Kubernetes Service Account:

    • Use kubectl to create a service account in your cluster:
      kubectl create serviceaccount my-k8s-sa

  3. Bind the Service Accounts:

    • This is where you use IAM to connect your Kubernetes service account to the Google Cloud one. You'll run a command like this:
      gcloud iam service-accounts add-iam-policy-binding [GCP_SA_EMAIL] \
--member=serviceAccount:[PROJECT_ID].svc.id.goog[[YOUR_NAMESPACE].my-k8s-sa] \
--role=roles/iam.workloadIdentityUser
      • Here, [GCP_SA_EMAIL] is the email address of the Google Cloud Service Account you just made.
      • [PROJECT_ID] is your Google Cloud project ID.
      • And [YOUR_NAMESPACE] is the Kubernetes namespace where your workload will be running.

  4. Update Your Workload to Use the Kubernetes Service Account:

    • You gotta tell your deployment to use that service account. Edit your deployment YAML:
      apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
spec:
  template:
    spec:
      serviceAccountName: my-k8s-sa

  5. Access Google Cloud Services:

    • Now, your application can grab Google Cloud resources using the credentials from the linked Google Cloud service account. For example, your application code might use a Google Cloud client library, and it'll automatically pick up the credentials. It's pretty slick, like this (just a snippet, mind you):
      from google.cloud import storage


      The client library automatically uses Workload Identity credentials
      storage_client = storage.Client()
      bucket = storage_client.bucket("your-gcs-bucket-name")
      blob = bucket.blob("your-file-name.txt")
      blob.upload_from_string("Hello, Workload Identity!")

Real-Life Example

Picture this: you've got an app running in Kubernetes, and it needs to, say, upload a file to Google Cloud Storage. Instead of dealing with some static key file that you have to manage, you set up Workload Identity. Your app just talks to Google Cloud Storage like it's no big deal, using those short-lived tokens that are tied to its service account.

Comparison: Workload Identity vs. Static Credentials

Feature Workload Identity Static Credentials
Security High (short-lived tokens) Low (long-lived tokens)
Management Automated lifecycle Manual management
Access Control Fine-grained IAM roles Limited IAM roles

With Workload Identity, the Google Cloud Service Account you link can be granted specific IAM roles, giving you really precise control over what your workload can and can't do in Google Cloud.

Key Takeaways

  • Kubernetes Workload Identity is pretty essential for handling identities for your non-human workloads in Kubernetes.
  • It really beefs up security and makes it way simpler for workloads to access cloud resources.
  • Setting it up involves creating service accounts, binding them effectively, and updating your workload configuration to use the right Kubernetes service account.

Diagram 1

AbdelRahman Magdy
AbdelRahman Magdy

Security Research Analyst

 

AbdelRahman (known as Abdou) is Security Research Analyst at the Non-Human Identity Management Group.

Related Articles

virtual workload security

Extending Threat Detection to Virtual Workloads

Learn how to extend threat detection to virtual workloads, addressing non-human identities and using XDR and AI to improve security posture.

By AbdelRahman Magdy October 29, 2025 7 min read
Read full article
Non Human Identity

Understanding Identity Library Version Updates

Learn how to manage identity library version updates for non-human identities. Understand SemVer, breaking changes, and best practices to ensure system security.

By Lalit Choda October 20, 2025 15 min read
Read full article
Workload Identity

What Does a Workload Update Entail?

Understand what a workload update entails, focusing on non-human identity management, security, and planning for smooth transitions. Learn best practices for mitigating risks.

By Lalit Choda October 16, 2025 14 min read
Read full article
smart device debugging

Resolving Debug Connection Issues for Smart Device Development

Troubleshooting debug connection problems in smart device development, focusing on network configurations, authentication protocols, and security for Non-Human Identities (NHIs).

By Lalit Choda October 14, 2025 5 min read
Read full article