I'm using service account in order to connect my Kubernetes pod (which is actually neo4j backup pod which uses service account secret) to Google Cloud Storage. I've attached admin role (of course when the issue will be solved I will fine-grain this access) to this service account just to be sure that it is not policy issue. I'm getting error though.
ERROR: gcloud crashed (TransportError): HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded with url: /token (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f1ee4afca90>: Failed to establish a new connection: [Errno 111] Connection refused',))
What is the reason of that and how can I fix that?
As requested I'm answering my own question
It appears that I started to configure my workloads with Workload Identity. Then for some reason I wanted to come back to service account authentication type. But the node pool was already modified to work with Workload Identity. That is why I could not use service account anymore. I missed that part of Google documentation:
This change will prevent workloads from using the Compute Engine service account and must be carefully rolled out. So when using workload identity we cannot use service account anymore.