Installing Veeam Kasten with Google Workload Identity Federation

Google Workload Identity Federation uses service account impersonation for authentication and authorization, thereby avoiding the use of Google Service Account keys with extended lifespans. It is compatible with various identity providers such as AWS, Azure, or Kubernetes. An example of implementing Google Workload Identity Federation on an OpenShift cluster on GKE with Kubernetes as the identity provider can be found here.

Veeam Kasten supports the use of Google Workload Identity Federation with Kubernetes as the Identity Provider both during the export of applications and in Veeam Kasten DR Backup and Restore processes.

Installing Veeam Kasten

When Kubernetes is used as the Identity Provider, workloads can use the Kubernetes service account tokens to authenticate to Google Cloud. These tokens are made available to workloads through the service account token volume projection , which requires some additional Helm settings to be set.

To install Veeam Kasten with Google Workload Identity Federation, use the following commands:

--set google.workloadIdentityFederation.enabled=true \
--set google.workloadIdentityFederation.idp.type=kubernetes \
--set google.workloadIdentityFederation.idp.aud=<audience>

With <audience> is the Audience set up for the Workload Identity Pool.

Creating a Location Profile with Google Workload Identity Federation

Instructions on how to create a Location Profile with Google Workload Identity Federation can be found here.

Restoring Veeam Kasten with Google Workload Identity Federation

Veeam Kasten supports the use of Google Workload Identity Federation with Kubernetes as the Identity Provider during Veeam Kasten DR Backup and Restore process. For more information on Veeam Kasten DR Backup and Restore, please see here.

Please note that it is possible to restore Veeam Kasten with Google Workload Identity Federation, regardless of the authentication mechanism used for the Google Location Profile selected while enabling Veeam Kasten disaster recovery on the source cluster.

The restore process will require a Location Profile with Google Workload Identity Federation. Please refer back to this section for instructions on how to install Veeam Kasten on the target cluster with Google Workload Identity Federation, and the Google Cloud Storage Location Profile configuration section for instructions on how to create a Location Profile.

Following that, Veeam Kasten can be restored using Google Workload Identity Federation credentials by executing the command below:

# Install the helm chart that creates the restore job and wait for completion of the `k10-restore` job
# Assumes that Veeam Kasten is installed in 'kasten-io' namespace.
$ helm install k10-restore kasten/k10restore --namespace=kasten-io \
         --set=google.workloadIdentityFederation.enabled=true \
         --set=google.workloadIdentityFederation.idp.type=kubernetes \
         --set=google.workloadIdentityFederation.idp.aud=<audience> \
         --set sourceClusterID=<source-clusterID> \
         --set profile.name=<location-profile-name>

<audience> is the Audience set up for the Workload Identity Pool of the target cluster.

<location-profile-name> is the profile on target cluster that contains the credential configuration file.