This allows Azure AKS client to access GCP resources without the use of plain text API Keys, that are considered a security risk.
Workload Identity Federation requires configuration on both Azure and GCP.
To configure GCP to run the gcloud scripts see GCloud FAQ.
For GCloud WIF helper scripts and documentation see GCloud scripts and Documentation.
The required resources are added per namespace. Add namespaces to the gcp_wif_namespaces variable list to enable WIF. This creates a service account in the namespace, linked to a managed identity with specific federated credentials.
To enable the feature for an application in the namespace:
- Set
enable_gcp_wif = true - Download the Google credentials from the connected service account
- Set the GOOGLE_CLOUD_CREDENTIALS environment variable via from key vault
- For the dfe-analytics ruby gem, set
config.azure_federated_auth = true