Skip to content

Kubernetes Service account with Workload ID

apiVersion: v1
kind: ServiceAccount
metadata:
  name: bradley
  annotations:
    iam.gke.io/gcp-service-account: <gservice account email>

You will need to grant the GCP SA the below roles

PROJECT_ID.svc.id.goog[NAMESPACE/KSA]

As well as:

roles/iam.workloadIdentityUser

These need to be granted to the GCP SA in GCP

See Workload Identity

Want to make this site better? Open a PR or help fund hosting costs