Doc: Image Repository: GCP: Direct resource access with WIF

GCP now favors direct resource access with WorkloadIdentity Federation, as opposed to service account impersonation. Signed-off-by: jordanp <[email protected]>
fluxcd · Oct 28, 2024 · c06745e · c06745e
1 parent a71ffb3
commit c06745e
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/docs/spec/v1beta2/imagerepositories.md b/docs/spec/v1beta2/imagerepositories.md
@@ -500,7 +500,7 @@ access to them.
 
 ##### Workload Identity
 
-When using Workload Identity to enable access to GCR or Artifact Registry, add
+When using Workload Identity to enable access to GCR or Artifact Registry with service account impersonation, add
 the following patch to your bootstrap repository, in the
 `flux-system/kustomization.yaml` file:
 
@@ -527,8 +527,12 @@ The Artifact Registry service uses the permission `artifactregistry.repositories
 that is located under the Artifact Registry Reader role. If you are using
 Google Container Registry service, the needed permission is instead `storage.objects.list`
 which can be bound as part of the Container Registry Service Agent role.
-Take a look at [this guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
-for more information about setting up GKE Workload Identity.
+
+Take a look at [this guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) and
+[this guide](https://cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes#authenticate)
+for more information about setting up GKE Workload Identity. Note that GCP now recommends using
+[direct resource access](https://cloud.google.com/iam/docs/workload-identity-federation#direct-resource-access) as opposed
+to service account impersonation when using Workload Identity.
 
 #### Authentication on other platforms