How to change service account for GKE nodes?

Question

My GKE cluster was created long back and it has two nodes currently both using the default Service account. I want to now change the Service account for the nodes without disturbing the cluster. I want to maintain a separate SA for our cluster. I looked for it, but it looks like a non-editable property.

Is there any way to do it?

Answer 1

Unfortunately you can't modify the service account of a node-pool that was already created.

Below you can find a screenshot from Cloud Console that states the service account setting is permanent in the creation process:

---

To avoid having downtime with your workload and create a new node-pool with different service account you can follow the official documentation about migration:

• Cloud.google.com: Kubernetes Engine: Docs: Tutorials: Migrating node pool

This tutorial demonstrates how to migrate workloads running on a Google Kubernetes Engine (GKE) cluster to a new set of nodes within the same cluster without incurring downtime for your application. Such a migration can be useful if you want to migrate your workloads to nodes with a different machine type.

You will need to:

• Create a new node-pool with your service account.
• Migrate the workload to the new node-pool (draining and cordoning old node-pool).
• Check if everything is running correctly on a new node-pool.
• Delete the old node-pool.

---

Additional resources:

• Cloud.google.com: Kubernetes Engine: Docs: How to: Hardening your cluster: Use least privilege SA