Enabling Workload Identity Federation on AKS and EKS
This topic explains how to enable Workload Identity Federation for Apigee hybrid installations onAKS andEKS platforms.
For installations onGKE, follow the instructions inEnabling Workload Identity on GKE.
Overview
Workload identity federation lets applications running outside Google Cloud impersonate a Google Cloud Platform service account by using credentials from an external identity provider.
Using workload identity federation can help you improve security by letting applications use the authentication mechanisms that the external environment provides and can helpreplace service account keys.
For an overview, seeBest practices for using Workload Identity Federation.
Note: Theapigee-logger component does not support Workload Identity Federation. See theknown issue.Set up Workload Identity Federation
To use Workload Identity Federation with Apigee hybrid, first configure your cluster and then apply the feature to your Apigee hybrid installation.
Before you begin
These instructions assume you have already set up your Apigee hybrid installation. The IAM service accounts and Kubernetes service accounts are created during initial installation. SeeThe Big Picture for an overview of installing Apigee hybrid.
For installations onAKS, Make sure you have enabled theOpenID Connect (OIDC) issuer. You must enable this feature so that Workload Identity Federation can access the OpenID Connect metadata and the JSON Web Key Set (JWKS) for the cluster.
Note: If the cluster gets deleted for any reason, the IAM provider will need to be recreated.Configure your cluster to use Workload Identity Federation.
- Check that the current
gcloudconfiguration is set to your Google Cloud project ID with the following command:gcloud config get project
- Enable the Security Token Service API:
Check that the Security Token Service API is enabled with the following command:
gcloud services list --enabled --projectPROJECT_ID | grep sts.googleapis.com
If the API is not enabled:
Console
Enable the Security Token Service API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.Command line
Enable the API with the following command:
gcloud services enable sts.googleapis.com --projectPROJECT_ID
- Create the workload identity pool and provider.
Required roles
To get the permissions that you need to configure Workload Identity Federation, ask your administrator to grant you the following IAM roles on the project:
- Workload Identity Pool Admin (
roles/iam.workloadIdentityPoolAdmin) - Service Account Admin (
roles/iam.serviceAccountAdmin)
For more information about granting roles, seeManage access to projects, folders, and organizations.
You might also be able to get the required permissions throughcustom roles or otherpredefined roles.
Alternatively, the IAM Owner (roles/owner) basic role also includes permissions to configure identity federation. You should not grant basic roles in a production environment, but you can grant them in a development or test environment.To create a workload identity pool and provider, do the following:
- Determine the issuer URL of your AKS cluster:
AKS
az aks show -nNAME -gRESOURCE_GROUP --query "oidcIssuerProfile.issuerUrl" -otsv
Replace the following:
NAME: The name of the cluster.RESOURCE_GROUP: The resource group of the cluster.
The command outputs the issuer URL. You will need the issuer URL in one of the following steps.
If the command doesn't return an issuer URL, verify that you've enabled theOIDC issuer feature.
EKS
aws eks describe-cluster --nameNAME --query "cluster.identity.oidc.issuer" --output text
Replace
NAMEwith the name of the cluster.The command outputs the issuer URL. You need the issuer URL in one of the following steps.
Other Kubernetes
- Connect to your Kubernetes cluster and use `kubectl` to determine your cluster's issuer URL:
kubectl get --raw /.well-known/openid-configuration | jq -r .issuer
You need the issuer URL in one of the following steps.
- Optional: If your OIDC issuer is not publicly accessible, download the cluster's JSON Web Key Set (JWKS):Note: This step requires kubectl access to your cluster.Tip: When using the JWKS file, you will need to upload a new JWKS file whenever you rotate the signing keys for the cluster.
kubectl get --raw /openid/v1/jwks > cluster-jwks.json
To check if your OIDC provider is publicly available, you should be able to access your provider URL with a CURL command and receive a 200 response.
- Create a new workload identity pool:
gcloud iam workload-identity-pools createPOOL_ID \ --location="global" \ --description="DESCRIPTION" \ --display-name="DISPLAY_NAME"
Replace the following:
POOL_ID: The unique ID for the pool.DISPLAY_NAME: (Optional) The name of the pool.DESCRIPTION: (Optional) A description of the pool that you choose. This description appears when you grant access to pool identities.
For example:
gcloudiamworkload-identity-poolscreatemy-wi-pool--display-name="My workload pool"--description="My workload pool description" - Add the cluster as a workload identity pool provider. Choose the command to create the provider depending on whether your OIDC issuer ispublicly accessible ornot publicly accessible:
Publicly accessible
If your OIDC issuer is publicly accessible, create the provider with the following command:
gcloud iam workload-identity-pools providers create-oidcWORKLOAD_PROVIDER_ID \ --location="global" \ --workload-identity-pool="POOL_ID" \ --issuer-uri="ISSUER" \ --attribute-mapping="google.subject=assertion.sub"
Not publicly accessible
If your OIDC issuer is not publicly accessible, create the provider with the following command:
gcloud iam workload-identity-pools providers create-oidcWORKLOAD_PROVIDER_ID \ --location="global" \ --workload-identity-pool="POOL_ID" \ --issuer-uri="ISSUER" \ --jwks-file="cluster-jwks.json" \ --attribute-mapping="google.subject=assertion.sub"
The command doesn't validate the cluster's JWKS. If the JWKS is malformed or expired, subsequent authentication attempts might fail with an error message
Error connecting to the given credential's issuer.Replace the following:
WORKLOAD_PROVIDER_ID: A unique workload identity pool provider ID of your choice.POOL_ID: The workload identity pool ID that you created earlier.ISSUER: Use the issuer URL you determined earlier for the issuer URI .
attribute-mapping="google.subject=assertion.sub"maps the Kubernetes subject to the IAM subject.
- Workload Identity Pool Admin (
If needed, set the currentgcloud configuration:
gcloud config set projectPROJECT_ID
Create the credential configuration files
To deploy a Kubernetes workload that can access Google Cloud resources, do the You first need to create a credential configuration file for each IAM service account:
- List theIAM service accounts (also called "Google service accounts") with the following command:
gcloud iam service-accounts list --projectPROJECT_ID
create-service-accounttool. SeeAbout service accounts for a list of IAM service accounts needed by Apigee hybrid. SeeStep 4: Create service accounts for the installation guide procedure to create the IAM service accounts.You will need to create the credential configuration files for the following IAM service accounts:
Prod
For production environments:
DISPLAY NAME EMAIL DISABLEDapigee-cassandra apigee-cassandra@my_project_id.iam.gserviceaccount.com Falseapigee-mart apigee-mart@my_project_id.iam.gserviceaccount.com Falseapigee-metrics apigee-metrics@my_project_id.iam.gserviceaccount.com Falseapigee-runtime apigee-runtime@my_project_id.iam.gserviceaccount.com Falseapigee-synchronizer apigee-synchronizer@my_project_id.iam.gserviceaccount.com Falseapigee-udca apigee-udca@my_project_id.iam.gserviceaccount.com Falseapigee-watcher apigee-watcher@my_project_id.iam.gserviceaccount.com False
If you are usingMonetization for Apigee hybrid onv1.14.3 and later, you will also need to create the credential configuration file for the
apigee-mint-task-schedulerservice account.DISPLAY NAME EMAIL DISABLED...apigee-mint-task-scheduler apigee-mint-task-scheduler@my_project_id.iam.gserviceaccount.com False...
Non-prod
For non-production environments:
DISPLAY NAME EMAIL DISABLEDapigee-non-prod apigee-non-prod@my_project_id.iam.gserviceaccount.com False
Use the following command to check the roles assigned to a service account:
gcloud projects get-iam-policyPROJECT_ID \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="SERVICE_ACCOUNT_NAME"
Note which custom service account corresponds to each IAM SA listed in the previous list.
- Create a credential configuration file for each IAM service account in the previous list. You will need these credential configuration files to configure Apigee hybrid to use Workload Identity Federation:
Code
gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=SERVICE_ACCOUNT_EMAIL \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=SERVICE_ACCOUNT_NAME-credential-configuration.json
Example
gcloud iam workload-identity-pools create-cred-config \ projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider \ --service-account=apigee-cassandra@myhybridporg.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=apigee-cassandra-credential-configuration.json
Where:
PROJECT_NUMBER: The project number of the project containing the workload identity pool. This must be the project number instead of the project ID.POOL_ID: The ID of the workload identity poolWORKLOAD_PROVIDER_ID: The ID of the workload identity pool providerSERVICE_ACCOUNT_EMAIL: Email address of the service account, if you configured your Kubernetes ServiceAccount to use IAM service account impersonation.
credential-source-typemust be set totext.Note: Do not create a credential configuration file for theapigee-loggerservice account.The credential configuration file lets the [Cloud Client Libraries](/apis/docs/cloud-client-libraries), the gcloud CLI, and Terraform determine the following:
- Where to obtain external credentials from
- Which workload identity pool and provider to use
- Which service account to impersonate
Configure Apigee hybrid to use Workload Identity Federation
Tip: You can configure your hybrid installation to use Workload Identity Federation for any or all components. For example UDCA can use Workload Identity Federation while Synchronizer uses Google IAM service accounts or vice versa.- Copy or move each output file (
SERVICE_ACCOUNT_NAME-credential-configuration.json) into the following chart directories (or subdirectories thereof). These were the files you created in theCreate the credential configuration files step.Prod
Service account Apigee Helm chart directory apigee-cassandraapigee-datastore/apigee-martapigee-org/apigee-metricsapigee-telemetry/apigee-mint-task-scheduler
(If usingMonetization for Apigee hybrid)apigee-org/apigee-runtimeapigee-env/apigee-synchronizerapigee-env/apigee-udcaapigee-org/apigee-env/apigee-watcherapigee-org/Non-prod
Service account Apigee Helm chart apigee-non-prodapigee-datastore/apigee-telemetry/apigee-org/apigee-env/ - Make the following global changes to your cluster's overrides file:
Code
gcp: workloadIdentity: enabled:false # must be set to false to use Workload Identity Federation federatedWorkloadIdentity: enabled:true audience: "AUDIENCE" credentialSourceFile: "/var/run/service-account/token"
Example
gcp: workloadIdentity: enabled: false federatedWorkloadIdentity: enabled: true audience: "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider" credentialSourceFile: "/var/run/service-account/token"
gcp.workloadIdentity.enabledgcp.federatedWorkloadIdentity.enabledgcp.federatedWorkloadIdentity.audiencegcp.federatedworkloadIdentity.credentialSourceFile
Where:AUDIENCE is the allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term
audience:. The audience value is the same in each credential configuration file.For example, in the following sample
apigee-udca-credential-configuration.jsonfile:{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider", "subject_token_type": "urn:ietf:params:oauth: token-type:jwt", "token_url": "https://sts.googleapis.com/v1/token", "service "impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/apigee-udca@myhybridproject.iam.gserviceaccount.com:generateAccessToken", "credential_source": { "file": "/var/run/service-account/token", "format": { "type": "text" } }}The audience value is
//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider. - Configure the overrides for each component using Workload Identity Federation. Select the instructions for cert files, Kubernetes secrets, or Vault as appropriate for your installation.
Cert file
Replace the value of
serviceAccountPathwith the credential source file for the corresponding IAM service account. This must be the path relative to the chart directory. For example:envs:- name:ENVIRONMENT_NAME serviceAccountPaths: synchronizer:apigee-synchronizer-credential-configuration.json runtime:apigee-runtime-credential-configuration.json udca:apigee-udca-credential-configuration.jsonmart: serviceAccountPath:apigee-mart-credential-configuration.jsonconnectAgent: serviceAccountPath:apigee-mart-credential-configuration.jsonmetrics: serviceAccountPath:apigee-metrics-credential-configuration.jsonmintTaskScheduler: # Required forMonetization for Apigee hybrid (v1.14.3 and later) serviceAccountPath:apigee-mint-task-scheduler-credential-configuration.jsonudca: serviceAccountPath:apigee-udca-credential-configuration.jsonwatcher: serviceAccountPath:apigee-watcher-credential-configuration.json
K8s Secret
- Create a new Kubernetes secret using the credential source file for each credential configuration file.
kubectl create secret -nAPIGEE_NAMESPACE genericSECRET_NAME --from-file="client_secret.json=CREDENTIAL_CONFIGURATION_FILE"
For example:
kubectl create secret -n apigee generic udca-workoad-identity-secret --from-file="client_secret.json=./apigee-udca-credential-configuration.json"
- Replace the value of
serviceAccountRefwith the new secret. For example:udca: serviceAccountRef: udca-workoad-identity-secret
Vault
Update the service account key,
SAKEYfor each service account in Vault with the corresponding credential source file. The procedure is similar for all components. For example, for UDCA:SAKEY=$(cat .apigee-udca-credential-configuration.json); kubectl -nAPIGEE_NAMESPACE exec vault-0 -- vault kv patch secret/apigee/orgsakeys udca="$SAKEY"
See
Storing service account keys in Hashicorp Vaultfor more information. - Create a new Kubernetes secret using the credential source file for each credential configuration file.
- Apply the changes to each affected component with the
helm upgradecommand:If you updated the Vault service account keys, update the
apigee-operatorchart.helm upgrade operator apigee-operator/ \ --namespaceAPIGEE_NAMESPACE \ --atomic \ -foverrides.yaml
Update the rest of the affected charts in the following order:
helm upgrade datastore apigee-datastore/ \ --namespaceAPIGEE_NAMESPACE \ --atomic \ -foverrides.yaml
helm upgrade telemetry apigee-telemetry/ \ --namespaceAPIGEE_NAMESPACE \ --atomic \ -foverrides.yaml
helm upgrade$ORG_NAME apigee-org/ \ --namespaceAPIGEE_NAMESPACE \ --atomic \ -foverrides.yaml
Update the
apigee-envchart for each env, replacing$ENV_RELEASE_NAME abdENV_NAME each time:helm upgrade$ENV_RELEASE_NAME apigee-env/ \ --namespaceAPIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -foverrides.yaml
See theApigee hybrid Helm reference for a list of components and their corresponding charts.
Grant the access to the Kubernetes service accounts
- List theKubernetes service accounts with the following command:
kubectl get sa -nAPIGEE_NAMESPACE
helm upgradecommands.Important: You will not be using every Kubernetes service account that is listed by this command. - Grant the Kubernetes service accounts access to impersonate the associated IAM service accounts as shown in the following table. The table shows the default Apigee IAM service account names. If you are using custom service account names, use the corresponding IAM service accounts:
Kubernetes service accounts IAM service account Org-level Kubernetes service accounts apigee-connect-agent-ORG_NAME-ORG_HASH_IDapigee-martapigee-mart-ORG_NAME-ORG_HASH_IDapigee-martapigee-metrics-apigee-telemetryapigee-metricsapigee-open-telemetry-collector-apigee-telemetryapigee-metricsapigee-mint-task-scheduler-ORG_NAME-ORG_HASH_ID
(If usingMonetization for Apigee hybrid onv1.14.3 and later)apigee-mint-task-schedulerapigee-udca-ORG_NAME-ORG_HASH_IDapigee-udcaapigee-watcher-ORG_NAME-ORG_HASH_IDapigee-watcherEnv-level Kubernetes service accounts apigee-runtime-ORG_NAME-ENV_NAME-ENV_HASH_IDapigee-runtimeapigee-synchronizer-ORG_NAME-ENV_NAME-ENV_HASH_IDapigee-synchronizerCassandra backup and restore (if enabled) apigee-cassandra-backup-saapigee-cassandraapigee-cassandra-restore-saapigee-cassandraWhere:
ORG_NAME: The first 15 characters of the name of your organization.ORG_HASH_ID: A unique hash ID of your full organization name.ENV_NAME: The first 15 characters of the name of your environment.ENV_HASH_ID: A unique hash ID of your organization and environment names.
For example:
apigee-connect-agent-myhybridorg-123abcdapigee-runtime-myhybridorg-prodenv-234bcde
Grant each Kubernetes service account access to impersonate the appropriate IAM service account with the following command:
gcloud iam service-accounts add-iam-policy-binding \IAM_SA_NAME@PROJECT_ID.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser
Where:
IAM_SA_NAME: the name of the service account.PROJECT_ID: the ID of the project that is associated with the Apigee Org.PROJECT_NUMBER: theproject number of the project where you created the workload identity pool.POOL_ID: the workload identity pool ID.MAPPED_SUBJECT: the Kubernetes ServiceAccount from the claim in your ID token that you mapped togoogle.subject. For example, if you mappedgoogle.subject=assertions.suband your ID token contains"sub": "system:serviceaccount:default:my-kubernetes-serviceaccount", thenMAPPED_SUBJECTissystem:serviceaccount:default:my-kubernetes-serviceaccount.
For more information about Workload Identity Federation and best practices, seeBest practices for using workload identity federation.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.