Reputation: 15129
Calling Google APIs from within k8s cluster
According to "Finding credentials automatically" from Google Cloud:
...ADC (Application Default Credentials) is able to implicitly find the credentials as long as the GOOGLE_APPLICATION_CREDENTIALS environment variable is set, or as long as the application is running on Compute Engine, GKE, App Engine, or Cloud Functions.
Do I understand correctly that GOOGLE_APPLICATION_CREDENTIALS does not need to be present, if I want to call Google Cloud APIs in current Google Cloud project?
Let's say I'm in a container in a pod, what can I do from within acontainer to test that calling Google Cloud APIs just work™?
Upvotes: 0
Views: 573
Answers (1)
Reputation: 54181
Check out https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity for how to up permissions for your pods. You have to do some mapping a so Google knows which pods get which perks, but after that it’s auto-magic as you mentioned. Otherwise calls will use the node-level google permissions which are generally minimal.
Upvotes: 3
Related Questions
- Cannot make external API calls from application running inside a kubernetes pod
- Authentication to Kubernetes API of GKE cluster within Google Cloud Function
- Google Cloud API Gateway with Google Kubernetes Engine (GKE)
- K8S api cloud.google.com not available in GKE v1.16.13-gke.401
- Accessing Kubernetes APIs from local machine
- Exposing k8s service on GKE to other compute instances, but not to the external world
- "insufficient authentication scopes" from Google API when calling from K8S cluster
- Call internal service between many cluster in Google Kubernetes Engine
- How to access google cloud instances from kubernetes containers
- How to authenticate against Kubernetes clusters running on Google Container Engine using REST API?