Remote cluster with Workload Identity configured with IAM Policy to the KSA, not working #20368
Open
3 tasks done
Labels
bug
Something isn't working
component:auth
component:multi-cluster
Features related to clusters management
Checklist:
argocd version
.Describe the bug
I'm not sure if this is a bug or a feature request.
I have configured ArgoCD (running in GKE) with an external GKE cluster located in a different GCP Project. Following the official documentation to use Workload Identity with ArgoCD, creating the GCP IAM Service Account and adding the annotation to the KSA, it does work.
I tried using the new approach from Google, which instead of requiring a GCP IAM Service Account and the annotation in the KSA, you can just assign GCP IAM Roles directly to the KSA, referencing it from GCP IAM policies like:
But this does not work. When trying, I just get the error from the
argocd-application-controller
:Maybe the
argocd-k8s-auth
just needs to use a newer version of the GCP SDK, it requires a different configuration, or it is something harder.To Reproduce
Enable GKE Workload Identity, and from a different GCP Project, assign the role for ArgoCD to manage a GKE cluster in that GCP Project:
Then configure your remote GKE cluster with the following K8s manifest in the GKE cluster where ArgoCD is deployed:
Expected behavior
I would expect ArgoCD to authenticate correctly.
Version
The text was updated successfully, but these errors were encountered: