logical-backup: a way to access gcs bucket using gke workload identity

[ggramal]

Please, answer some short questions which should help us to understand your problem / question better?

• Which image of the operator are you using? e.g. ghcr.io/zalando/postgres-operator:v1.14.0
• Where do you run it - cloud or metal? Kubernetes or OpenShift? GKE
• Are you running Postgres Operator in production? yes
• Type of issue? feature request

Gke has a feature called workload identity that is the recommended way that workloads running on GKE can access Google Cloud services in a secure and manageable way. Basically it connects k8s service accounts with gcp service accounts through the Metadata server (169.254.169.254:80). Metadata server is a well know address used by all SDKs for authentication (including gsutil).

Benefits:

• no need to maintain (store/rotate) service account keys
• enhanced security because metadata tokens have ttl

Possible solution:

• update dump.sh script so that it checks if LOGICAL_BACKUP_GOOGLE_APPLICATION_CREDENTIALS env var is set
• use -o GoogleCompute:service_account=default gsutil option

Probably can make a PR for this