tustvold commented on issue #5073:
URL: https://github.com/apache/arrow-rs/issues/5073#issuecomment-1900320971
So I re-read the docs here and I am honestly confused why this isn't
working. The docs state that you should
1. Annotate the IAM role in GCS with the policy binding
```
gcloud projects add-iam-policy-binding GSA_PROJECT --member
"serviceAccount:GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com" --role
"ROLE_NAME"
```
2. Annotate the kubernetes ServiceAccount object
````
kubectl annotate serviceaccount KSA_NAME --namespace NAMESPACE
iam.gke.io/gcp-service-account=GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com
```
3. Update the pods to enable the metadata hook
```
spec:
serviceAccountName: KSA_NAME
nodeSelector:
iam.gke.io/gke-metadata-server-enabled: "true"
```
4. Now within the workload calling the metadata endpoint with `default` will
yield the service account that you've mapped in
```
curl -H "Metadata-Flavor: Google"
http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/email
```
I cannot find any documentation about calling the metadata endpoint with
anything other than `default`, when you would do this, or what its behaviour
would be.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
