Your team is migrating a GKE workload from service-account key files to Workload Identity. You have:
Enabled Workload Identity on the cluster.
Created the Google service account data-reader@PROJECT_ID.iam.gserviceaccount.com.
Annotated the Kubernetes service account default/ksa-reader with iam.gke.io/gcp-service-account=data-reader@PROJECT_ID.iam.gserviceaccount.com.
After redeploying, pods still receive "403 Permission denied" when calling Cloud Storage. What additional step is required so the pods can successfully authenticate as the Google service account?
Create a JSON key for the Google service account and mount it into the pods as a secret.
Grant the Kubernetes service account the Storage Object Viewer role on the target Cloud Storage bucket.
Add an IAM policy binding that grants the roles/iam.workloadIdentityUser role on the Google service account to default/ksa-reader.
Enable the IAM Credentials API in the project that hosts the cluster.
Workload Identity works only when the Kubernetes service account (KSA) is authorized to act as the Google service account (GSA). This is done by granting the KSA the IAM role roles/iam.workloadIdentityUser on the GSA. Without that binding, the projected identity token presented by the pod is not accepted, causing permission errors. Granting storage.viewer to the KSA does not allow it to impersonate the GSA. Enabling the IAM Credentials API is unnecessary for basic Workload Identity usage, and mounting a key file defeats the purpose of using Workload Identity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity in GKE?
Open an interactive chat with Bash
Why do we need the roles/iam.workloadIdentityUser role binding?
Open an interactive chat with Bash
What is the difference between using Workload Identity and service account key files?
Open an interactive chat with Bash
What is a Kubernetes Service Account (KSA)?
Open an interactive chat with Bash
What is the roles/iam.workloadIdentityUser role?
Open an interactive chat with Bash
Why does Workload Identity replace using service-account key files?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .