Which pod is used when using podIdentity?

[asfaltboy]

I am new to Keda, and I'm struggling to find the answer to the question: which pod does podIdentity refer to in the docs? For instance:

The Authentication concept documentation mentions:

Several service providers allow you to assign an identity to a pod. By using that identity, you can defer authentication to the pod & the service provider, rather than configuring secrets.

Do we mean:

1. The KSA (kubernetes service account) that is used by Keda pods (defaults to keda-operator)? Or,
2. Is it that of the scaled pod workload itself?

Option (2) feels a bit unlikely, since I imagine the scaler polling is happening elsewhere, and we'd somehow need to grant access to that scaler-poller workload to use another pod's service account. Is this even possible?

I was also confused by this ticket, which seems to indicate some other use case or similar misunderstanding perhaps 🤷 . FWIW, I was able to associate the keda-operator service account with the GCP workload identity. But, I only tried using the ScaledJob so far; perhaps there is an issue with scaling a Deployment with the ScaledObject, I intend to try and report back if it is so.

---

Below are more examples of documentation that I came across.

EKS Pod Identity docs say:

EKS Pod Identity Webhook, which is described more in depth here, allows you to provide the role name using an annotation on a service account associated with your pod.

Similarly in Kiam Pod Identity:

Kiam lets you bind an AWS IAM Role to a pod using an annotation on the pod.

And GCP Workload Identity:

GCP Workload Identity allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM) service accounts to access Google Cloud services.

Lastly, Azure seems unique in that allows picking the identity to use:

Azure Pod Identity is an implementation of Azure AD Pod Identity which lets you bind an Azure Managed Identity to a Pod in a Kubernetes cluster as delegated access - Don’t manage secrets, let Azure AD do the hard work.

This is made somewhat more confusing by the fact that Azure recently archived https://github.com/Azure/aad-pod-identity and are redirecting users to https://azure.github.io/azure-workload-identity/docs/ which seems a bit more inline with the other's in the above list...

For what it's worth, I am fairly comfortable with the concept of pod identity, and I have been using managed kubernetes on GCP (GKE) for a few years, and we manage our workload authentication with workload identity.

[tomkerkhove]

The KEDA operator is doing this AFAIK.

This is made somewhat more confusing by the fact that Azure recently archived Azure/aad-pod-identity and are redirecting users to azure.github.io/azure-workload-identity/docs which seems a bit more inline with the other's in the above list...

Why is that confusing? That's the same pattern KEDA uses.