Workload Identity Setup
Available in v1.17.3+

Overview

GCP Workload Identity allows your ScaleOps Kubernetes service accounts to authenticate to GCP services without storing service account keys as secrets.

Prerequisites

gcloud CLI
GKE cluster with Workload Identity enabled
Service Account (or use --create-service-account flag)

Script Setup

Use the integration script with the workload identity flags:


curl -s https://scriptshelf.scaleops.com/google/integrate.sh | bash -s -- node-integration \
  --project-id <PROJECT_ID> \
  --service-account <SERVICE_ACCOUNT_EMAIL> \
  --use-workload-identity

Download Script / Preview

The script will automatically:

Set up IAM policy bindings for the ScaleOps service accounts
Configure workload identity for scaleops-dashboards, scaleops-agent, and scaleops-recommender service accounts
Provide the helm configuration needed

Note: You can also use --create-service-account instead of --service-account to create a new service account automatically.

Helm Values

After running the script, add the provided helm values to your values.yml file:


 
global:
  serviceAccount:
    annotations:
      iam.gke.io/gcp-service-account: <SERVICE_ACCOUNT_EMAIL>
 
cloudNodeIntegration:
  google:
    enabled: true
    useWorkloadIdentity: true

See Google documentation for more details about Workload Identity.

Workload Identity Setup Available in v1.17.3+

Overview

Prerequisites

Script Setup

Helm Values

Workload Identity Setup
Available in v1.17.3+