From c06745e64504782c1b36744d703e4590c0bb3abc Mon Sep 17 00:00:00 2001 From: jordanp Date: Mon, 28 Oct 2024 15:14:31 +0100 Subject: [PATCH] Doc: Image Repository: GCP: Direct resource access with WIF GCP now favors direct resource access with WorkloadIdentity Federation, as opposed to service account impersonation. Signed-off-by: jordanp --- docs/spec/v1beta2/imagerepositories.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/spec/v1beta2/imagerepositories.md b/docs/spec/v1beta2/imagerepositories.md index 372e79aa..5829c7fe 100644 --- a/docs/spec/v1beta2/imagerepositories.md +++ b/docs/spec/v1beta2/imagerepositories.md @@ -500,7 +500,7 @@ access to them. ##### Workload Identity -When using Workload Identity to enable access to GCR or Artifact Registry, add +When using Workload Identity to enable access to GCR or Artifact Registry with service account impersonation, add the following patch to your bootstrap repository, in the `flux-system/kustomization.yaml` file: @@ -527,8 +527,12 @@ The Artifact Registry service uses the permission `artifactregistry.repositories that is located under the Artifact Registry Reader role. If you are using Google Container Registry service, the needed permission is instead `storage.objects.list` which can be bound as part of the Container Registry Service Agent role. -Take a look at [this guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) -for more information about setting up GKE Workload Identity. + +Take a look at [this guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) and +[this guide](https://cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes#authenticate) +for more information about setting up GKE Workload Identity. Note that GCP now recommends using +[direct resource access](https://cloud.google.com/iam/docs/workload-identity-federation#direct-resource-access) as opposed +to service account impersonation when using Workload Identity. #### Authentication on other platforms