Kubernetes Workload Identity Simplified

Kubernetes Workload Identity machine identity non-human identity
AbdelRahman Magdy
AbdelRahman Magdy

Security Research Analyst

 
June 3, 2025
3 min read

Kubernetes is a pretty neat tool for managing all your containerized apps, right? But, like, keeping track of who's who, especially for stuff like your workloads that aren't people, can get kinda messy. That's where Kubernetes Workload Identity swoops in to save the day. Let's break it down, no biggie.

What is Kubernetes Workload Identity?

Basically, Kubernetes Workload Identity lets you connect your Kubernetes service accounts to Google Cloud service accounts. (Authenticate to Google Cloud APIs from GKE workloads) This means your workloads can get to Google Cloud resources without you having to mess around with and hand out static credentials.

Why Use Workload Identity?

How Does It Work?

Key Components

  1. Kubernetes Service Account: This is like an identity for a workload running in your Kubernetes cluster.
  2. Google Cloud Service Account: This one gives you access to Google Cloud resources.
  3. Identity Binding: This is the crucial part that links your Kubernetes service account to the Google Cloud one.

Steps to Set Up Kubernetes Workload Identity

  1. Create a Google Cloud Service Account:

    • Head over to the Google Cloud Console.
    • Make a new service account and give it the permissions it needs.

  2. Create a Kubernetes Service Account:

    • Use kubectl to create a service account in your cluster:
      kubectl create serviceaccount my-k8s-sa

  3. Bind the Service Accounts:

    • This is where you use IAM to connect your Kubernetes service account to the Google Cloud one. You'll run a command like this:
      gcloud iam service-accounts add-iam-policy-binding [GCP_SA_EMAIL] \
--member=serviceAccount:[PROJECT_ID].svc.id.goog[[YOUR_NAMESPACE].my-k8s-sa] \
--role=roles/iam.workloadIdentityUser
      • Here, [GCP_SA_EMAIL] is the email address of the Google Cloud Service Account you just made.
      • [PROJECT_ID] is your Google Cloud project ID.
      • And [YOUR_NAMESPACE] is the Kubernetes namespace where your workload will be running.

  4. Update Your Workload to Use the Kubernetes Service Account:

    • You gotta tell your deployment to use that service account. Edit your deployment YAML:
      apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
spec:
  template:
    spec:
      serviceAccountName: my-k8s-sa

  5. Access Google Cloud Services:

    • Now, your application can grab Google Cloud resources using the credentials from the linked Google Cloud service account. For example, your application code might use a Google Cloud client library, and it'll automatically pick up the credentials. It's pretty slick, like this (just a snippet, mind you):
      from google.cloud import storage


      # The client library automatically uses Workload Identity credentials
storage_client = storage.Client()
bucket = storage_client.bucket("your-gcs-bucket-name")
blob = bucket.blob("your-file-name.txt")
blob.upload_from_string("Hello, Workload Identity!")

Real-Life Example

Picture this: you've got an app running in Kubernetes, and it needs to, say, upload a file to Google Cloud Storage. Instead of dealing with some static key file that you have to manage, you set up Workload Identity. Your app just talks to Google Cloud Storage like it's no big deal, using those short-lived tokens that are tied to its service account.

Comparison: Workload Identity vs. Static Credentials

Feature Workload Identity Static Credentials
Security High (short-lived tokens) Low (long-lived tokens)
Management Automated lifecycle Manual management
Access Control Fine-grained IAM roles Limited IAM roles

With Workload Identity, the Google Cloud Service Account you link can be granted specific IAM roles, giving you really precise control over what your workload can and can't do in Google Cloud.

Key Takeaways

  • Kubernetes Workload Identity is pretty essential for handling identities for your non-human workloads in Kubernetes.
  • It really beefs up security and makes it way simpler for workloads to access cloud resources.
  • Setting it up involves creating service accounts, binding them effectively, and updating your workload configuration to use the right Kubernetes service account.

Diagram 1

AbdelRahman Magdy
AbdelRahman Magdy

Security Research Analyst

 

AbdelRahman (known as Abdou) is Security Research Analyst at the Non-Human Identity Management Group.

Related Articles

GKE Workload Identity

GKE Workload Identity Explained: Securing Your Kubernetes Clusters

Stop using static keys. Learn how GKE Workload Identity secures your Kubernetes clusters by mapping Service Accounts to IAM roles with short-lived tokens.

By AbdelRahman Magdy June 26, 2026 7 min read
common.read_full_article
Azure Workload Identity

How to Implement Azure Workload Identity in a Zero-Trust Environment

Stop using static credentials. Learn how to implement Azure Workload Identity to secure your Kubernetes environment using OIDC and Zero-Trust principles.

By Lalit Choda June 25, 2026 6 min read
common.read_full_article
machine identity security

Top 5 Machine Identity Security Best Practices for Enterprise Infrastructure

Secure your enterprise infrastructure against evolving threats. Learn 5 essential machine identity security best practices to manage non-human identities effectively.

By AbdelRahman Magdy June 24, 2026 7 min read
common.read_full_article
Non-Human Identity

Securing Non-Human Identities: A Step-by-Step Security Framework

Stop the machine identity crisis. Discover a 4-step framework to secure non-human identities, eliminate static secrets, and implement Zero Trust for workloads.

By Lalit Choda June 23, 2026 6 min read
common.read_full_article