I'm connecting to an AlloyDB cluster from an autopilot GKE cluster. I'm deploying 2 containers (same pod), 1) the AlloyDB Auth Proxy in container form (gcr.io/alloydb-connectors/alloydb-auth-proxy:latest), 2) my app that's connecting to the proxy to connect to the AlloyDB cluster.
I'm getting 403 no alloydb.instances.get permission error. I've not specified any service accounts to the GKE cluster or deployment so it must be using whatever's the default. I've check and added the AlloyDB Admin role to literally every service account in my IAM, but it's still throwing 403 for me.
So I'm guessing that GKE is not using any of the service accounts available in IAM. It must be using something else and or not using IAM service accounts? How can I grant my services in GKE permission to access other Google services? In this case AlloyDB.
According to AlloyDB, the sequence of steps taken to find a credential includes using the default service account.
By default, your GKE clusters use the Compute Engine default service account. That makes sense because your nodes in the cluster are "simple" Compute Engine instances.
With Autopilot, it's the same. It's recommended to use your own service account when you create the cluster.
However, having the same identity, even with a custom service account, is not ideal, and enforcing the least privilege principle is a better option. I recommend to use Workload Identity Federation with all your workloads on GKE (autopilot or not) to customize the used service account for each workload.
Like that you will totally control the service account use and you will be able to grant the correct permission to the dedicated service account.