Workload Identity Federation for GKE using the GitLab chart


The default configuration for external object storage in the charts uses secret keys. Workload Identity Federation for GKE makes it possible to grant access to object storage to the Kubernetes cluster using short-lived tokens. If you have an existing GKE cluster, read the Google documentation on how to update the node pool to use Workload Identity Federation.


Ensure that the Kubernetes ServiceAccount is linked to the IAM service account via the annotation.

You can check whether Workload Identity is configured properly by querying the metadata endpoint inside the toolbox pod. The service account associated with the cluster should be returned:

$ curl -H "Metadata-Flavor: Google"

This account should also be able to access the following scopes:

$ curl -H "Metadata-Flavor: Google"