What is the best way to retrieve Spanner credentials for a microservice-based application on GKE?

Using Workload Identity for pods to retrieve Spanner credentials in a microservice-based application on Google Kubernetes Engine (GKE) is the best approach because it allows workloads running in GKE to use Google Cloud IAM service accounts securely without the need to manage and expose sensitive credentials directly.

Workload Identity provides a seamless way to associate Kubernetes service accounts with Google Cloud service accounts. This means that when a pod wants to communicate with Google Cloud services such as Spanner, it can do so without needing to embed or manage IAM credentials within the pod. This reduces the risk of credentials being leaked or mishandled, as it eliminates the need to store static credentials in the application code or the container environment.

In this setup, the Kubernetes service account is linked to the Google Cloud service account that has the required permissions to access Spanner. Therefore, when a microservice makes a call to Spanner, it automatically assumes the identity of the Google Cloud service account, which is authenticated and uses just-in-time credentials provided by Google Cloud’s infrastructure. This method not only enhances security but also facilitates easier management and auditing of permissions.

The other options may serve certain purposes but they do not provide the same level of security and ease of management. For instance, using Kubernetes Secrets