← GKE173 / 640
easygcloud

Configure GKE Workload Identity: bind IAM policy and annotate the Kubernetes service account

command

gcloud iam service-accounts add-iam-policy-binding gcs-reader@my-project.iam.gserviceaccount.com --role=roles/iam.workloadIdentityUser --member="serviceAccount:my-project.svc.id.goog[prod/ksa-reader]"

also accepted

gcloud iam service-accounts add-iam-policy-binding gcs-reader@my-project.iam.gserviceaccount.com --role=roles/iam.workloadIdentityUser --member="serviceAccount:my-project.svc.id.goog[prod/ksa-reader]" && kubectl annotate serviceaccount ksa-reader -n prod iam.gke.io/gcp-service-account=gcs-reader@my-project.iam.gserviceaccount.com

Command breakdown

Part of the Google Cloud CLI (gcloud) — GKE category.

gcloudiamservice-accountsadd-iam-policy-bindinggcs-reader@my-project.iam.gserviceaccount.com--role=roles/iam.workloadIdentityUser--member="serviceAccount:my-project.svc.id.goog[prod/ksa-reader]"
FlagPurpose
--roleSet to: roles/iam.workloadIdentityUser
--memberSet to: "serviceAccount:my-project.svc.id.goog[prod/ksa-reader]"

More GKE commands

See all GKE commands →
← prevnext →
More GKE commands →Full cheat sheet →

Test your recall — not just your reading.

Practice with interactive quiz →