Hello everyone,
We have been trying to enable Workload Identity federation with the KSA direct connect type for Apigee Hybrid runtime 1.14.0 in AKS for the past month but have not been successful. So, I'm not sure if it is actually supported or not.
The reason from the main Apigee official document [1] briefly explains the concept of enabling Workload Identity federation on external provider (AKS and EKS) and refers to [2] for the full implementation steps. However, article [2] states that Workload Identity federation supports two modes: KSA direct connect (recommended) and GSA impersonation.
[1]https://cloud.google.com/apigee/docs/hybrid/v1.14/enable-workload-identity-federation.html#k8s-secret
[2]https://cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes#aks
But in my lab, we successfully implemented GSA impersonation but were unsuccessful with KSA direct connect, even after reconfiguring everything in every possible way.
Can anyone help me or tell me where I went wrong?
Thank you