Replace workload identity with workload identity federation

[NimJay]

trafficstars

Describe request or inquiry

• We can now bind Google Cloud IAM roles directly to Kubernetes ServiceAccount — instead of using Google Service Accounts as a link between the roles and Kubernetes ServiceAccount.
• We do this through a feature called Workload identity federation.

What purpose/environment will this feature serve?

• This impacts everything that uses Workload Identity — the AlloyDB Kustomize component, the Google Cloud Observability Kustomize component, the Spanner Kustomize component, etc.

[mathieu-benoit]

Simplifying a lot the setup of the KSA/GSA, etc. indeed!

JFYI: I just updated this blog post with this new approach with Online Boutique and Spanner: https://medium.com/p/f7248e077339, just sharing! ;)