Add GKE workload identity federation as credentials for fetching secrets

[mhouthuijzen1977]

Hi,

We are running Apisix workloads in a GKE cluster. We want to provision secrets in GCP Secret Manager which can be fetched by the Service Account credentials mounted in the Apisix gateway pod through Workload Identity Federation mechanism of GKE.

We don't want to provision Service Account credentials (private keys) through YAML config or the Admin API because handling and downloading the SA key files is a security vulnerability and is a pattern that is discouraged by GCP themself.

Is this something that you see as a future enhancement? Or is this a no-go?

Greetz Maikel

[Baoyuantop]

We support creating GCP Secrets Manager https://apisix.apache.org/docs/apisix/terminology/secret/#use-gcp-secrets-manager-to-manage-secrets, does this feature meet your needs?

[mhouthuijzen1977]

Yeah definitely, but only partially. Supplying the credentials for fetching those secrets from GCP Secret Manager is done through supplying the private key (JSON key file of the SA) in the YAML or through the Admin API. Provisioning SA credentials with the JSON key files is considered as a security mal practice.

While we are running on Apisix on GKE it is possible (through Workload Identity Federation) to obtain the SA credentials of the workload/pod (where Apisix gateway is running in) by fetching it from google internal metadata server:

GET http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
Header: Metadata-Flavor: Google

This credential (GCP Service Account) can be used to fetch the secrets from GCP Secret Manager if the SA has the correct IAM privileges ofcourse.

So yes, Apisix already has the functionality to work with GCP secrets, only the way the credentials are provisioned would differ from how it's currently implemented. So instead of provisioning the whole identity (private key, client_email, project_id), it is only needed to provide the correct project id where the secrets reside in.

I hope i explained it well enough....

[Baoyuantop]

Not currently supported, PRs are welcome.