Skip to content

logical-backup: a way to access gcs bucket using gke workload identity #2836

New issue
New issue
Open
#2837
Open
logical-backup: a way to access gcs bucket using gke workload identity#2836
#2837
@ggramal

Description

@ggramal
ggramal
opened on Jan 8, 2025

Please, answer some short questions which should help us to understand your problem / question better?

  • Which image of the operator are you using? e.g. ghcr.io/zalando/postgres-operator:v1.14.0
  • Where do you run it - cloud or metal? Kubernetes or OpenShift? GKE
  • Are you running Postgres Operator in production? yes
  • Type of issue? feature request

Gke has a feature called workload identity that is the recommended way that workloads running on GKE can access Google Cloud services in a secure and manageable way. Basically it connects k8s service accounts with gcp service accounts through the Metadata server (169.254.169.254:80). Metadata server is a well know address used by all SDKs for authentication (including gsutil).

Benefits:

  • no need to maintain (store/rotate) service account keys
  • enhanced security because metadata tokens have ttl

Possible solution:

  • update dump.sh script so that it checks if LOGICAL_BACKUP_GOOGLE_APPLICATION_CREDENTIALS env var is set
  • use -o GoogleCompute:service_account=default gsutil option

Probably can make a PR for this

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions