I've built a Google Kubernetes Engine (GKE) cluster in a GCP project.
According to the different use cases of applications running on the cluster, I associated the applications with the different service accounts and the different granted permissions. To do so, I bound Google Service Account (GSA) with the Kubernetes Cluster Service Account (KSA) as follows:
gcloud iam service-accounts add-iam-policy-binding \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]" \ GSA_NAME@PROJECT_ID.iam.gserviceaccount.com
kubectl annotate serviceaccount \ --namespace K8S_NAMESPACE \ KSA_NAME \ iam.gke.io/gcp-service-account=GSA_NAME@PROJECT_ID.iam.gserviceaccount.com
Everything I have explained works normally.
Currently, there are many GKE clusters in different projects. Furthermore, the service accounts assigned with the applications are supposed to be created in the same project that hosts the GKE clusters. I am planning to do the GSA centralisation for KSA into one GCP project.
Would it be possible to build a GKE cluster in a project and create a GSA for an application running on the GKE cluster in another project?
If so, what roles do I have to grant the GSA associated with the GKE cluster? in order to access the GSAs in the other project and bind them with KSA.
Note: This thread is only about the Google Service Account (GSA) associated with the application running on a GKE cluster, not about the Google Service Account (GSA) associated with the GKE cluster
And how to bind Google Service Account (GSA) in a GCP project with Kubernetes Cluster Service Account (KSA) in the GKE cluster in another GCP project