You are deploying a containerized video-processing application to a GKE cluster that already has Workload Identity enabled. You created a Google service account named video-sa and want pods that run with the Kubernetes service account default in namespace video to download objects from a private Cloud Storage bucket. Which IAM binding is required to let the Kubernetes service account successfully impersonate video-sa through Workload Identity?
Add an IAM binding on the video-sa Google service account giving role roles/iam.serviceAccountTokenCreator to member serviceAccount:PROJECT_ID.svc.id.goog[video/default].
Add an IAM policy binding on the video-sa Google service account that grants role roles/iam.workloadIdentityUser to member serviceAccount:PROJECT_ID.svc.id.goog[video/default].
Grant role roles/serviceAccountUser on the default Kubernetes service account to principal video-sa@PROJECT_ID.iam.gserviceaccount.com.
At the project level, assign roles/storage.objectViewer to member serviceAccount:PROJECT_ID.svc.id.goog[video/default].
Workload Identity works by letting a Kubernetes service account (KSA) act as, or impersonate, a Google service account (GSA). To enable the impersonation you grant the KSA principal the role roles/iam.workloadIdentityUser on the GSA it needs to access. The member string must follow the form serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]. Other roles such as serviceAccountUser or serviceAccountTokenCreator do not allow a KSA to exchange its identity token for a short-lived GSA token, and granting Storage roles to the KSA at project level does not establish the required trust. Therefore the correct action is to add a policy binding on video-sa that gives roles/iam.workloadIdentityUser to serviceAccount:PROJECT_ID.svc.id.goog[video/default].
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity in GKE?
Open an interactive chat with Bash
How does roles/iam.workloadIdentityUser enable KSA to impersonate GSA?
Open an interactive chat with Bash
What is the difference between roles/iam.workloadIdentityUser and roles/serviceAccountTokenCreator?
Open an interactive chat with Bash
What is Workload Identity in GKE?
Open an interactive chat with Bash
Why does the role roles/iam.workloadIdentityUser need to be applied on the GSA and not the KSA?
Open an interactive chat with Bash
What is the significance of the member string serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .