Workload Identity Setup
Available in v1.17.3+

Overview

GCP Workload Identity allows your ScaleOps Kubernetes service accounts to authenticate to GCP BigQuery for cost data without storing service account keys as secrets.

Prerequisites

gcloud CLI
GKE cluster with Workload Identity enabled
Service Account (or use --create-service-account flag)
BigQuery dataset with cost export data

Script Setup

Use the integration script with the workload identity flags:


curl -s https://scriptshelf.scaleops.com/google/integrate.sh | bash -s -- cost \
  --cost-project-id <COST_PROJECT_ID> \
  --service-account <SERVICE_ACCOUNT_EMAIL> \
  --dataset-name <DATASET_NAME> \
  --use-workload-identity

Download Script / Preview

The script will automatically:

Set up BigQuery permissions for the service account
Configure workload identity for scaleops-dashboards, scaleops-agent, and scaleops-recommender service accounts
Provide the helm configuration needed

Note: You can also use --create-service-account instead of --service-account to create a new service account automatically.

Helm Values

After running the script, add the provided helm values to your values.yml file:


global:
  serviceAccount:
    annotations:
      iam.gke.io/gcp-service-account: <SERVICE_ACCOUNT_EMAIL>
 
cloudBillingIntegration:
  google:
    enabled: true
    useWorkloadIdentity: true
    projectId: <COST_PROJECT_ID>
    datasetName: <DATASET_NAME>

See Google documentation for more details about Workload Identity.

Workload Identity Setup Available in v1.17.3+

Overview

Prerequisites

Script Setup

Helm Values

Workload Identity Setup
Available in v1.17.3+