Accept Google Application Default Credentials

[rubensf]

Currently, the only way to authenticate is exporting a service account key. GKE can work with identity federation, bypassing the need to export risky Service Account credentials.

We could enhance this example to also accept that, for simplicity. This can be easily achieved with a couple steps:

1. Add some terraform code for WIF here

resource "google_service_account_iam_binding" "k8s_bindings" {
  project.           = var.project_id
  service_account_id = ${var.name}"
  role               = "roles/iam.workloadIdentityUser"
  members = [
    "serviceAccount:${var.project_id}.svc.id.goog[${var.k8s_namespace}/${var.name}]",
  ]
}

2. Add a K8S service account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: falco-k8s-audit
  namespace: falco
  annotations:
    iam.gke.io/gcp-service-account: falco-k8s-audit@${project}.iam.gserviceaccount.com

3. Use it in the deployment

spec:
      serviceAccountName: falco-k8s-audit

4. Change the code here to use the google-auth-library (guide here)

  const auth = new GoogleAuth({
    scopes: 'https://www.googleapis.com/auth/cloud-platform'
  });
  const client = await auth.getClient();
  const projectId = await auth.getProjectId();