I have a google kubernetes service running. I configured the deployment with a service account. This setup seems to work since I managed to connect to the google storage. However I would also like to access an AWS service for which I want to use an identity token which I can then use to access the AWS service.
However when I try to run from my pod the following command it returns a 404 not found:
wget -q -O - --header 'Metadata-Flavor:Google' 'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=test&format=full&licences=TRUE'
This is what is described in the documentation so I don't see the problem. https://cloud.google.com/compute/docs/instances/verifying-instance-identity
Maybe the service account that I setup lacks certain rights? Although in that case I would expect a 401 or 403 Also my cluster is setup with Autopilot and according to the documentation Workload Identity Federation is then enabled by default. https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
It seems that I was indeed lacking some roles as well as invoking the wget incorrectly. I didn't get it to work with wget but curl did seem to work. I had to invoke:
kubectl annotate serviceaccount [SERVICE_ACCOUNT] --namespace [NAMESPACE] iam.gke.io/gcp-service-account=[GSA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
After that I got an exception saying:
Failed to generate identity token; IAM returned 403 Forbidden: Permission 'iam.serviceAccounts.getOpenIdToken' denied on resource (or it may not exist).
and I just had to add 'Workload Identity User' role to my service account.