This is a Preview version of the Cloud Run for Anthos documentation for use with Anthos fleets and Anthos Service Mesh. Learn more.

The current GA version of the Cloud Run for Anthos documentation remains available for existing users. New product evaluations during the free trial should use the Preview installation documentation.

Using Workload Identity

Learn how to authenticate your Cloud Run for Anthos services with Workload Identity to access Google Cloud APIs such as the Compute APIs, Storage and Database APIs, or Machine Learning APIs.

To authenticate your services, you must configure permissions, bind your Kubernetes service account (KSA) to act as a Google Service Account (GSA), and then configure you Cloud Run for Anthos service to use that Google Service Account.

Enabling Workload Identity on your cluster

Instead of using a Google Cloud Service Account JSON file, to set up Workload Identity with Cloud Run for Anthos, you can setup fleet Workload Identity.

Enabling all metrics with Workload Identity

To enable metrics, like reporting request count or request latency to Google Cloud's operations suite, you need to manually set write permissions for Cloud Monitoring. For example, you must grant the Monitoring Metric Writer role to the Google Service Account that is associated with Cloud Run for Anthos.

To grant the Monitoring Metric Writer role permissions to the GSA:

gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:GSA_NAME@GSA_PROJECT_ID.iam.gserviceaccount.com \
--role=roles/monitoring.metricWriter

gcloud iam service-accounts add-iam-policy-binding \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:PROJECT_ID.svc.id.goog[knative-serving/controller]" \
    GSA_NAME@GSA_PROJECT_ID.iam.gserviceaccount.com

kubectl annotate serviceaccount \
    --namespace knative-serving controller \
    iam.gke.io/gcp-service-account=GSA_NAME@GSA_PROJECT_ID.iam.gserviceaccount.com

Replace:

  • PROJECT_ID with the ID of the Google Cloud project for the cluster that hosts your Kubernetes service account.
  • GSA_NAME@GSA_PROJECT_ID with the name of your Google Service Account and ID of the Google Cloud project. You can use any Google Service Account in your organization. To view service accounts, see Listing service accounts.

For more information, see Granting, changing, and revoking access to resources.

Binding service accounts

You need to set up a relationship for a Kubernetes Service Account (KSA) to act as a Google service account (GSA). Any workload running as the KSA automatically authenticates as the GSA when accessing Google Cloud APIs.

  1. If a Kubernetes service account doesn't exist, create one in the same Kubernetes namespace as your Cloud Run for Anthos service; otherwise, skip to the next step:

    kubectl create serviceaccount --namespace K8S_NAMESPACE KSA_NAME
  2. You bind the service accounts to create a relationship between KSAs and GSAs:

    1. Bind your KSA to the GSA:

      gcloud iam service-accounts add-iam-policy-binding \
      --role roles/iam.workloadIdentityUser \
      --member "serviceAccount:PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]" \
      GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com
    2. Update the cluster to leverage the binding:

      kubectl annotate serviceaccount \
      --namespace K8S_NAMESPACE \
       KSA_NAME \
       iam.gke.io/gcp-service-account=GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com

Deploying a new service with a new identity

Deploy your service using the KSA that exists within the cluster and namespace of the service you want to deploy. The service account may belong to a different project than the cluster.

Console

  1. Go to Cloud Run for Anthos in the Cloud Console:

    Go to Cloud Run for Anthos

  2. Click Create Service if you are configuring a new service you are deploying to. If you are configuring an existing service, click on the service, then click Edit & Deploy New Revision.

  3. Under Advanced settings, click Container.

    image

  4. Click the Service account dropdown and select the desired service account.

  5. Click Next to continue to the next section.

  6. In the Configure how this service is triggered section, select which connectivity you would like to use to invoke the service.

  7. Click Create to deploy the image to Cloud Run for Anthos and wait for the deployment to finish.

Command line

  • For existing services, configure the runtime service account by running the gcloud run services update command with the following parameters:

    gcloud run services update SERVICE --service-account SERVICE_ACCOUNT
    

    Replace:

    • SERVICE with the name of your service.
    • SERVICE_ACCOUNT with the service account associated with the new identity.
  • For new services, configure the runtime service account by running the gcloud run deploy command with the --service-account parameter:

    gcloud run deploy --image IMAGE_URL --service-account SERVICE_ACCOUNT
    

    Replace:

    • IMAGE_URL with a reference to the container image, for example, gcr.io/myproject/my-image:latest.
    • SERVICE_ACCOUNT with the service account associated with the new identity.

YAML

You can download the configuration of an existing service into a YAML file with the gcloud run services describe command by using the --format=export flag. You can then modify that YAML file and deploy those changes with the gcloud beta run services replace command. You must ensure that you modify only the specified attributes.

  1. Download the configuration of your service into a file named service.yaml on local workspace:

    gcloud run services describe SERVICE --format export > service.yaml

    Replace SERVICE with the name of your Cloud Run for Anthos service.

  2. In your local file, update the serviceAccountName: attribute:

    apiVersion: serving.knative.dev/v1
    kind: Service
    metadata:
      name: SERVICE
    spec:
      template:
        spec:
          serviceAccountName: SERVICE_ACCOUNT

    Replace

    • SERVICE with the name of your Cloud Run for Anthos service.
    • SERVICE_ACCOUNT with the service account associated with the new identity.
  3. Replace the service with its new configuration using the following command:

    gcloud beta run services replace service.yaml

Migrating existing services to use Workload Identity

If you enabled Workload Identity on an existing cluster, each service on that cluster must be migrated to use Workload Identity. Learn how to migrate existing services.