A GKE cluster uses Workload Identity. You create a Google service account (GSA) named ar-writer@PROJECT_ID. Pods running with the Kubernetes service account (KSA) default in namespace prod must push container images to Artifact Registry without using key files. Which single configuration change lets the pods authenticate as ar-writer@PROJECT_ID?
Set the annotation iam.gke.io/gcp-service-account=serviceAccount:PROJECT_ID.svc.id.goog[prod/default] on ar-writer@PROJECT_ID; no IAM change is required.
Assign the roles/artifactregistry.writer role on the project directly to the KSA default in namespace prod.
Add an IAM policy binding on ar-writer@PROJECT_ID that grants the iam.workloadIdentityUser role to serviceAccount:PROJECT_ID.svc.id.goog[prod/default].
Grant the roles/iam.serviceAccountTokenCreator role on the project to ar-writer@PROJECT_ID.
Workload Identity requires an IAM policy binding that lets the KSA impersonate the GSA. You grant the iam.workloadIdentityUser role on the GSA to the principal that represents the KSA, formatted as serviceAccount:PROJECT_ID.svc.id.goog[prod/default]. Once this binding exists and the KSA is annotated with the GSA's email, the GKE workload receives short-lived credentials as the GSA. Granting Service Account Token Creator, adding project-wide roles, or annotations alone do not allow impersonation without the Workload Identity User binding.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity in GKE?
Open an interactive chat with Bash
What is the IAM role `iam.workloadIdentityUser` used for?
Open an interactive chat with Bash
How do KSAs and GSAs interact in Workload Identity?
Open an interactive chat with Bash
What is Workload Identity in GKE?
Open an interactive chat with Bash
Why is iam.workloadIdentityUser role needed for Workload Identity?
Open an interactive chat with Bash
How does annotation work for Workload Identity in GKE?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .