In keeping with the Directive to "Design for cloud mobility", Tracker uses the multi-cloud backup tool rclone to back up the database to Google Cloud Storageaka GCS.
On GKE the backup service uses workload identity to authenticate itself to GCS. Workload identity connects Kubernetes service accounts with the IAM accounts and the roles and permissions of GCP.
For the backup to succeed, you need to create these accounts and mappings.
gcloud iam service-accounts create backup-service
gcloud iam service-accounts add-iam-policy-binding --role roles/iam.workloadIdentityUser --member "serviceAccount:track-compliance.svc.id.goog[db/backup-service]" backup-service@track-compliance.iam.gserviceaccount.com
gcloud iam roles create backupService --project track-compliance --title "Backup Service" --description "Write and view objects only" --permissions storage.objects.list,storage.objects.create
gcloud projects add-iam-policy-binding track-compliance --member=serviceAccount:backup-service@track-compliance.iam.gserviceaccount.com --role=roles/backupService