Your team runs a GKE cluster with Workload Identity enabled. A pod in namespace "payments" needs to list objects in a Cloud Storage bucket. You created a Google service account [email protected] and granted it the Storage Object Viewer role on the bucket. Which additional configuration will let the pod authenticate without service account keys?
Add the Google service account as an imagePullSecret and rely on Application Default Credentials inside the container to pick up the secret.
Grant the Storage Object Viewer role directly to member serviceAccount:PROJECT_ID.svc.id.goog[payments/gcs-reader-ksa] on the bucket and mount a JSON key file for gcs-reader into the pod.
Bind roles/iam.workloadIdentityUser on [email protected] to member serviceAccount:PROJECT_ID.svc.id.goog[payments/gcs-reader-ksa], then annotate the Kubernetes service account gcs-reader-ksa in the payments namespace with the GSA email.
Give the Kubernetes service account the roles/iam.serviceAccountUser role at the project level and set the pod spec serviceAccountName field to the Google service account email.
Workload Identity lets a Kubernetes service account (KSA) impersonate a Google service account (GSA) through two steps:
On the GSA, grant the IAM role roles/iam.workloadIdentityUser to the member that represents the KSA (serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA]). This permits the KSA to obtain short-lived tokens as the GSA.
Annotate the KSA with the GSA's email so that workloads using the KSA automatically request credentials for that GSA. Mounting key files, adding image pull secrets, or using roles/iam.serviceAccountUser are not required and do not enable Workload Identity-based authentication.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity in GKE?
Open an interactive chat with Bash
Why is roles/iam.workloadIdentityUser required for Workload Identity?
Open an interactive chat with Bash
What benefits does Workload Identity provide over using service account keys?
Open an interactive chat with Bash
What is Workload Identity in GKE?
Open an interactive chat with Bash
What is the roles/iam.workloadIdentityUser IAM role and why is it needed?
Open an interactive chat with Bash
Why do we annotate the Kubernetes service account with the Google service account email?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .