This topic explains how to enable Workload Identity for Apigee hybrid installations on AKS and EKS platforms.
Overview
Workload identity federation lets applications running outside Google Cloud impersonate a Google Cloud Platform service account by using credentials from an external identity provider.
Using workload identity federation can help you improve security by letting applications use the authentication mechanisms that the external environment provides and can help replace service account keys.
In the step Configure Workload Identity Federation, the default audience for created Workload Identity pools and providers is as follows. Use this default or set a custom expected audience, and save this value for later use.
You should not need to perform the steps under Create a pair of service accounts, because the service accounts you will need should already have been created:
IAM service accounts: You most likely have already created the IAM service accounts (also called "Google service accounts") during initial installation of Apigee hybrid with the create-service-account tool. See About service accounts for a list of IAM service accounts needed by Apigee hybrid.
You can see a list of IAM service accounts in your project with the following command:
gcloud iam service-accounts list --project PROJECT_ID
Kubernetes service accounts: The Apigee hybrid charts create the necessary Kubernetes service accounts for each component when you run the helm install or helm update command.
You can see the Kubernetes service accounts in your cluster with the kubectl get sa commands:
kubectl get sa -n APIGEE_NAMESPACEkubectl get sa -n apigee-system
Stop after step 1 under Deploy a Kubernetes workload. Save the credential configuration file and save the path entered for the --credential-source-file parameter, for example: /var/run/service-account/token.
Configure Apigee hybrid to use Workload Identity Federation