Your three-node GKE Standard cluster in project "proj-a" has Workload Identity enabled. A Deployment uses the Kubernetes service account web-sa and pulls its container image from us-central1-docker.pkg.dev/proj-a/app/backend. After migrating the image from Container Registry to Artifact Registry, every newly created Pod immediately enters ImagePullBackOff with 403 "permission denied" errors, even though the image path is correct. To restore pulls while following Google-recommended least-privilege practises, which single configuration change should you make?
Grant the roles/artifactregistry.reader IAM role to the cluster's default Compute Engine service account that runs the nodes.
Grant the roles/artifactregistry.reader IAM role directly to the Kubernetes service account web-sa inside the cluster.
Edit the node pool to add the OAuth scope https://www.googleapis.com/auth/devstorage.read_only so nodes can pull images from Artifact Registry.
Create (or reuse) a Google service account, grant it roles/artifactregistry.reader, annotate the web-sa Kubernetes service account with iam.gke.io/gcp-service-account pointing to that Google service account, and redeploy the Pods.
With Workload Identity, node credentials are not used for pulling images. Each Pod inherits the identity of its Kubernetes service account (KSA). To let the Pods read from Artifact Registry you should:
Create (or reuse) a Google service account (GSA).
Grant that GSA the roles/artifactregistry.reader IAM role on the project or specific repository.
Bind the KSA to the GSA by adding the annotation iam.gke.io/gcp-service-account=<GSA-EMAIL> to the KSA (kubectl annotate serviceaccount web-sa ...). After you redeploy the workload so that Pods use the updated KSA, the kubelet's image pull will be authenticated as the GSA and succeed. Granting the role to the node's Compute Engine service account, the Cloud Build account, or changing node scopes would either over-privilege resources or have no effect under Workload Identity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity in GKE?
Open an interactive chat with Bash
Why do Pods experience ImagePullBackOff errors when using Artifact Registry?
Open an interactive chat with Bash
How do you annotate a Kubernetes service account with a Google service account?
Open an interactive chat with Bash
What is Workload Identity in GKE?
Open an interactive chat with Bash
Why is the KSA `web-sa` annotated with `iam.gke.io/gcp-service-account`?
Open an interactive chat with Bash
What causes the `ImagePullBackOff` error if Workload Identity is used?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Ensuring successful operation of a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .