In a GKE cluster where Workload Identity is already enabled, you create the Google service account [email protected] and grant it the Storage Object Admin role on a Cloud Storage bucket. You then create the Kubernetes service account log-writer in the default namespace and annotate it so that it should act as the GSA. Pods running with this KSA still receive PERMISSION_DENIED errors when they call the Cloud Storage API. Following Google-recommended practices, what should you do to fix the problem?
Grant the member serviceAccount:PROJECT_ID.svc.id.goog[default/log-writer] the role roles/iam.workloadIdentityUser on [email protected].
Move the iam.gke.io/gcp-service-account annotation from the KSA to each Pod that needs Cloud Storage access.
Download a JSON key for [email protected] and mount it in the Pod via a Kubernetes Secret.
Bind the Storage Object Admin role directly to the log-writer Kubernetes service account in Cloud IAM.
Workload Identity functions only when two conditions are met: (1) the Kubernetes service account (KSA) is annotated with the Google service account (GSA) it should act as, and (2) the KSA is granted permission to impersonate that GSA through the IAM role roles/iam.workloadIdentityUser on the GSA. Because the second step was missed, the GKE metadata server denies the KSA's request for a token, so the application cannot obtain credentials and Cloud Storage rejects the call. Downloading and mounting a long-lived key file is discouraged, and moving the annotation to individual Pods or assigning Storage Object Admin directly to the KSA will not establish the required impersonation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity in GKE?
Open an interactive chat with Bash
What does roles/iam.workloadIdentityUser do?
Open an interactive chat with Bash
Why is downloading and mounting a JSON key file discouraged?
Open an interactive chat with Bash
What is Workload Identity in GKE, and why is it important?
Open an interactive chat with Bash
What is the role roles/iam.workloadIdentityUser, and how does it enable impersonation?
Open an interactive chat with Bash
Why is mounting a JSON key as a Kubernetes secret discouraged for accessing Cloud resources?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .