I'm trying to use GKE's config-connector to create a service account (easy), and to create a service account key (also easy).
However, is there a way to also get that service account key imported into the cluster as kubernetes secret?
It feels like a perfectly IaaC setup with some decent privacy regarding the key. Declare service account, declare service account key, declare service account key is stored in this cluster's namespace, as this secret with this name. The actual service account key is never exposed to any users.
However, I can't seem to find an OOTB way with config connector. Is this something anybody else has looked at?
Thank you
Well, using ACM's Config Connector, you could certainly configure a K8s secret using your SA key.
The other alternative may be to use Workload Identity and associate a namespace with a Service Account.
Both of these options will give your workloads the ability to use the permissions granted via the Service Account.
Will either of these meet your requirements? If so, please mark this as an answer. Thanks!