The latest articles on DEV Community by Vagner Miranda (@jakner). https://dev.to/jakner https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3896100%2Fe0fa89cd-c90c-4206-bee2-9c0042b6bedd.png https://dev.to/jakner en Vagner Miranda Fri, 24 Apr 2026 13:12:30 +0000 https://dev.to/jakner/zero-trust-logging-secure-vectordev-pipelines-on-gcp-with-workload-identity-3klb https://dev.to/jakner/zero-trust-logging-secure-vectordev-pipelines-on-gcp-with-workload-identity-3klb <p>(Introduction)<br> Modern observability pipelines require more than just moving data from point A to point B; they require enterprise-grade security. When running Vector.dev on Google Cloud Platform (GCP), many engineers fall into the trap of using static JSON Service Account keys. These keys are a security liability.</p> <p>In this tutorial, I’ll show you how to implement a more secure approach using GCP Workload Identity, allowing Vector to authenticate natively and securely.</p> <p>(The Architecture)<br> Our setup involves:</p> <p>Vector.dev running on Kubernetes (GKE).</p> <p>Google Service Account (GSA) with specific permissions (e.g., Pub/Sub Publisher).</p> <p>Workload Identity Federation to link the Kubernetes Service Account (KSA) to the GSA.</p> <p>(Step 1: Create the Google Service Account)<br> First, create a dedicated service account for Vector and grant it only the necessary permissions:</p> <p>Bash<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud iam service-accounts create vector-aggregator <span class="se">\</span> <span class="nt">--display-name</span><span class="o">=</span><span class="s2">"Vector Aggregator Service Account"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud projects add-iam-policy-binding <span class="o">[</span>YOUR_PROJECT_ID] <span class="se">\</span> <span class="nt">--member</span><span class="o">=</span><span class="s2">"serviceAccount:vector-aggregator@[YOUR_PROJECT_ID].iam.gserviceaccount.com"</span> <span class="se">\</span> <span class="nt">--role</span><span class="o">=</span><span class="s2">"roles/pubsub.publisher"</span> </code></pre> </div> <p>(Step 2: Bind Kubernetes to GCP IAM)<br> Now, we allow the Kubernetes service account to act as the Google service account:</p> <p>Bash<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud iam service-accounts add-iam-policy-binding <span class="se">\</span> vector-aggregator@[YOUR_PROJECT_ID].iam.gserviceaccount.com <span class="se">\</span> <span class="nt">--role</span><span class="o">=</span><span class="s2">"roles/iam.workloadIdentityUser"</span> <span class="se">\</span> <span class="nt">--member</span><span class="o">=</span><span class="s2">"serviceAccount:[YOUR_PROJECT_ID].svc.id.goog[vector-namespace/vector-ksa]"</span> </code></pre> </div> <p>(Step 3: Configure Vector to use Identity)<br> In your vector.yaml, you don't need to specify a key_file. Vector is smart enough to use the environment's default credentials provided by Workload Identity:</p> <p>YAML<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">sinks</span><span class="pi">:</span> <span class="na">gcp_pubsub</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">google_cloud_pubsub</span> <span class="na">inputs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">your_log_source</span> <span class="na">project</span><span class="pi">:</span> <span class="s2">"</span><span class="s">[YOUR_PROJECT_ID]"</span> <span class="na">topic</span><span class="pi">:</span> <span class="s2">"</span><span class="s">vector-logs-topic"</span> <span class="c1"># No credentials_path needed!</span> </code></pre> </div> <p>(Conclusion)<br> By removing static keys, you reduce the risk of credential leakage and align your infrastructure with Zero-Trust principles. This setup is scalable, secure, and easier to manage in large-scale GCP environments.</p> devops security gcp observability