Kubernetes Workload Identity Simplified

Kubernetes Workload Identity machine identity non-human identity
AbdelRahman Magdy
AbdelRahman Magdy

Security Research Analyst

 
June 3, 2025 3 min read

Kubernetes Workload Identity

Kubernetes is a pretty neat tool for managing all your containerized apps, right? But, like, keeping track of who's who, especially for stuff like your workloads that aren't people, can get kinda messy. That's where Kubernetes Workload Identity swoops in to save the day. Let's break it down, no biggie.

What is Kubernetes Workload Identity?

Basically, Kubernetes Workload Identity lets you connect your Kubernetes service accounts to Google Cloud service accounts. (Authenticate to Google Cloud APIs from GKE workloads) This means your workloads can get to Google Cloud resources without you having to mess around with and hand out static credentials.

Why Use Workload Identity?

How Does It Work?

Key Components

  1. Kubernetes Service Account: This is like an identity for a workload running in your Kubernetes cluster.
  2. Google Cloud Service Account: This one gives you access to Google Cloud resources.
  3. Identity Binding: This is the crucial part that links your Kubernetes service account to the Google Cloud one.

Steps to Set Up Kubernetes Workload Identity

  1. Create a Google Cloud Service Account:

    • Head over to the Google Cloud Console.
    • Make a new service account and give it the permissions it needs.

  2. Create a Kubernetes Service Account:

    • Use kubectl to create a service account in your cluster:
      kubectl create serviceaccount my-k8s-sa

  3. Bind the Service Accounts:

    • This is where you use IAM to connect your Kubernetes service account to the Google Cloud one. You'll run a command like this:
      gcloud iam service-accounts add-iam-policy-binding [GCP_SA_EMAIL] \
--member=serviceAccount:[PROJECT_ID].svc.id.goog[[YOUR_NAMESPACE].my-k8s-sa] \
--role=roles/iam.workloadIdentityUser
      • Here, [GCP_SA_EMAIL] is the email address of the Google Cloud Service Account you just made.
      • [PROJECT_ID] is your Google Cloud project ID.
      • And [YOUR_NAMESPACE] is the Kubernetes namespace where your workload will be running.

  4. Update Your Workload to Use the Kubernetes Service Account:

    • You gotta tell your deployment to use that service account. Edit your deployment YAML:
      apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
spec:
  template:
    spec:
      serviceAccountName: my-k8s-sa

  5. Access Google Cloud Services:

    • Now, your application can grab Google Cloud resources using the credentials from the linked Google Cloud service account. For example, your application code might use a Google Cloud client library, and it'll automatically pick up the credentials. It's pretty slick, like this (just a snippet, mind you):
      from google.cloud import storage


      The client library automatically uses Workload Identity credentials
      storage_client = storage.Client()
      bucket = storage_client.bucket("your-gcs-bucket-name")
      blob = bucket.blob("your-file-name.txt")
      blob.upload_from_string("Hello, Workload Identity!")

Real-Life Example

Picture this: you've got an app running in Kubernetes, and it needs to, say, upload a file to Google Cloud Storage. Instead of dealing with some static key file that you have to manage, you set up Workload Identity. Your app just talks to Google Cloud Storage like it's no big deal, using those short-lived tokens that are tied to its service account.

Comparison: Workload Identity vs. Static Credentials

Feature Workload Identity Static Credentials
Security High (short-lived tokens) Low (long-lived tokens)
Management Automated lifecycle Manual management
Access Control Fine-grained IAM roles Limited IAM roles

With Workload Identity, the Google Cloud Service Account you link can be granted specific IAM roles, giving you really precise control over what your workload can and can't do in Google Cloud.

Key Takeaways

  • Kubernetes Workload Identity is pretty essential for handling identities for your non-human workloads in Kubernetes.
  • It really beefs up security and makes it way simpler for workloads to access cloud resources.
  • Setting it up involves creating service accounts, binding them effectively, and updating your workload configuration to use the right Kubernetes service account.

Diagram 1

AbdelRahman Magdy
AbdelRahman Magdy

Security Research Analyst

 

AbdelRahman (known as Abdou) is Security Research Analyst at the Non-Human Identity Management Group.

Related Articles

Machine Identity

The Importance of Understanding Machine and Workload Identity

Explore the critical importance of machine and workload identity in modern security architectures. Learn about the risks, management strategies, and how to secure non-human identities effectively.

By Lalit Choda December 17, 2025 12 min read
Read full article
Workload Identity

Current Trends in Workload Identity

Explore the latest trends in workload identity, including cloud-native security, zero-trust architecture, and AI-driven threat detection. Learn how to secure non-human identities and prevent identity-based attacks.

By Lalit Choda December 15, 2025 7 min read
Read full article
Non Human Identity

Agency Solutions for Workload Management

Discover how agencies can optimize workload management by leveraging non-human identity (NHI) solutions for enhanced security and efficiency.

By Lalit Choda December 12, 2025 13 min read
Read full article
workload identity

Securing Machine-to-SQL Access: A CISO's Guide to Workload Identity in Data Queries

Learn how to secure machine access to SQL query engines using workload identity. This guide is tailored for CISOs and CIOs focusing on data governance and non-human identity management.

By Lalit Choda December 10, 2025 12 min read
Read full article