SignedURL using GKE workload federation (https://blog.salrashid.dev/articles/2021/cloud_sdk_missing_manual/gcs_signedurl/)

gke.txt

export PROJECT_ID=`gcloud config get-value core/project`
export PROJECT_NUMBER=`gcloud projects describe $PROJECT_ID --format='value(projectNumber)'`

gcloud iam service-accounts create ocsp-svc
gcloud  container clusters create cluster-1 --workload-pool=$PROJECT_ID.svc.id.goog

kubectl create namespace ns1
kubectl create serviceaccount  --namespace ns1  ksa-1

gcloud iam service-accounts add-iam-policy-binding \
    --role roles/iam.serviceAccountTokenCreator \
    --member "serviceAccount:$PROJECT_ID.svc.id.goog[ns1/ksa-1]" \
    ocsp-svc@$PROJECT_ID.iam.gserviceaccount.com


gcloud iam service-accounts add-iam-policy-binding \
    --role roles/iam.serviceAccountTokenCreator \
    --member "serviceAccount:ocsp-svc@$PROJECT_ID.iam.gserviceaccount.com" \
    ocsp-svc@$PROJECT_ID.iam.gserviceaccount.com

gsutil mb  gs://$PROJECT_ID-cab1/
echo -n foo >/tmp/foo.txt
gsutil cp /tmp/foo.txt gs://$PROJECT_ID-cab1/

gsutil iam ch  serviceAccount:ocsp-svc@$PROJECT_ID.iam.gserviceaccount.com:objectViewer      gs://$PROJECT_ID-cab1/


kubectl annotate serviceaccount --namespace ns1 ksa-1 iam.gke.io/gcp-service-account=ocsp-svc@$PROJECT_ID.iam.gserviceaccount.com


cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: workload-identity-test
  namespace: ns1
spec:
  containers:
  - image: google/cloud-sdk:slim
    name: workload-identity-test
    command: ["sleep","infinity"]
  serviceAccountName: ksa-1
  nodeSelector:
    iam.gke.io/gke-metadata-server-enabled: "true"
EOF



kubectl get po -n ns1
  NAME                     READY   STATUS    RESTARTS   AGE
  workload-identity-test   1/1     Running   0          3m28s


kubectl exec -it workload-identity-test \
    --namespace ns1 \
    -- gsutil -i ocsp-svc@$PROJECT_ID.iam.gserviceaccount.com signurl -r us -d 10m -u  gs://$PROJECT_ID-cab1/foo.txt