← GKE173 / 640

easygcloud

Configure GKE Workload Identity: bind IAM policy and annotate the Kubernetes service account

command

gcloud iam service-accounts add-iam-policy-binding gcs-reader@my-project.iam.gserviceaccount.com --role=roles/iam.workloadIdentityUser --member="serviceAccount:my-project.svc.id.goog[prod/ksa-reader]"

also accepted

gcloud iam service-accounts add-iam-policy-binding gcs-reader@my-project.iam.gserviceaccount.com --role=roles/iam.workloadIdentityUser --member="serviceAccount:my-project.svc.id.goog[prod/ksa-reader]" && kubectl annotate serviceaccount ksa-reader -n prod iam.gke.io/gcp-service-account=gcs-reader@my-project.iam.gserviceaccount.com

← prev next →

More GKE commands →Full cheat sheet →

Test your recall — not just your reading.

Practice with interactive quiz →