Prerequisites
What are you trying to do that currently feels hard or impossible?
We run the toolbox inside a K8S pod. This pod has K8S workload identity enabled. The underlying GCP service account (GCP SA) has access to all datasets in the project.
In multitenant world, we want to be able to initiate the toolbox separately for each tenant as a subprocess. For each tenant we have its own unique GCP SA present - which will have access to datasets/tables for that tenant.
K8S pod having GCP SA say "MASTER_SA" -> each toolbox is running as a subprocess using the impersonated tenant's gcp sa say "TENANT_SA". Note that we do not want to use separate json key files for each tenant sa.
Ask is to be able to do this.
For example - here is how it is done in cloud custodian https://cloudcustodian.io/docs/gcp/gettingstarted.html#gcp-gettingstarted
Suggested Solution(s)
No response
Alternatives Considered
No response
Additional Details
No response
Prerequisites
What are you trying to do that currently feels hard or impossible?
We run the toolbox inside a K8S pod. This pod has K8S workload identity enabled. The underlying GCP service account (GCP SA) has access to all datasets in the project.
In multitenant world, we want to be able to initiate the toolbox separately for each tenant as a subprocess. For each tenant we have its own unique GCP SA present - which will have access to datasets/tables for that tenant.
K8S pod having GCP SA say "MASTER_SA" -> each toolbox is running as a subprocess using the impersonated tenant's gcp sa say "TENANT_SA". Note that we do not want to use separate json key files for each tenant sa.
Ask is to be able to do this.
For example - here is how it is done in cloud custodian https://cloudcustodian.io/docs/gcp/gettingstarted.html#gcp-gettingstarted
Suggested Solution(s)
No response
Alternatives Considered
No response
Additional Details
No response