Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Object Store] Make the service account used when interacting with the metadata url more flexible #5073

Open
gianarb opened this issue Nov 14, 2023 · 1 comment
Open

[Object Store] Make the service account used when interacting with the metadata url more flexible #5073

gianarb opened this issue Nov 14, 2023 · 1 comment
Labels
enhancement Any new improvement worthy of a entry in the changelog help wanted

Comments

@gianarb
Copy link

gianarb commented Nov 14, 2023

Is your feature request related to a problem or challenge? Please describe what you are trying to do.

Hello, I deploy my application to GCP GKE and in order to authorize to GCP Object Storage I am using a workload identity as described by the GCP documentation

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to

The problem I am facing is that default is not the right service account, I would like to use the one defined when attaching the iam service account to the kubernetes one.

https://github.com/apache/arrow-rs/blob/master/object_store/src/gcp/credential.rs#L325-L331

Describe the solution you'd like

I think we should add configuration to specify the name of the service account you want to use. I am not sure the implication but it sounds good to use the service_account_key if present, if not we can use default as we do today.

Describe alternatives you've considered

I can generate a credential file and authenticate with another method but this one looks like the way to go suggested by GCP itself.

Additional context
@gianarb gianarb added the enhancement Any new improvement worthy of a entry in the changelog label Nov 14, 2023
@tustvold tustvold mentioned this issue Jan 18, 2024
Closed
@tustvold
Copy link
Contributor

tustvold commented Jan 19, 2024
edited
Loading

So I re-read the docs here and I am honestly confused why this isn't working for you. The docs state that you should

  1. Annotate the IAM role in GCS with the policy binding
gcloud projects add-iam-policy-binding GSA_PROJECT --member "serviceAccount:GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com"    --role "ROLE_NAME"
  1. Annotate the kubernetes ServiceAccount object
kubectl annotate serviceaccount KSA_NAME --namespace NAMESPACE  iam.gke.io/gcp-service-account=GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com
  1. Update the pods to enable the metadata hook
spec:
  serviceAccountName: KSA_NAME
  nodeSelector:
    iam.gke.io/gke-metadata-server-enabled: "true"
  1. Now within the workload calling the metadata endpoint with default will yield the service account that you've mapped in
curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/email

I cannot find any documentation about calling the metadata endpoint with anything other than default, when you would do this, or what its behaviour would be. But crucially the docs would indicate that for workload identity you should call the metadata endpoint with default as the current code does.

Is it possible your cluster isn't configured with workload identity enabled?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Any new improvement worthy of a entry in the changelog help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gianarb @tustvold