Use workload identity for the container registry in gstg and pre

Adds the glue to enable the use of workload identities by the container registry in k8s for accessing CloudProfiler
parent 96275d58
......@@ -2580,6 +2580,13 @@ resource "google_service_account" "container_registry" {
description = "Service account the container registry"
}
# Updates an IAM policy to add the kubernetes service account gitlab/container-registry to the GCP service account in order to be able to use GKE Workload Identity
resource "google_service_account_iam_member" "container_registry_ksa" {
role = "roles/iam.workloadIdentityUser"
service_account_id = google_service_account.container_registry.name
member = "serviceAccount:${var.project}.svc.id.goog[gitlab/container_registry]"
}
resource "google_project_iam_member" "containerRegistryCloudProfilerAgent" {
project = var.project
role = "roles/cloudprofiler.agent"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment