Following google docs on how to setup workload identity:
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity. I have enabled the GKE metadata server on all nodes as well as Workload Identity feature on the cluster level. However when attempting to add a IAM binding policy I get INVALID_ARGUMENT: Request contains an invalid argument.. A K8s service account named test-sa was already created in the default namespace. Example command
gcloud projects add-iam-policy-binding projects/my-project \
--role=roles/container.clusterViewer \
--member=principal://iam.googleapis.com/projects/my-project-number/locations/global/workloadIdentityPools/my-project-id.svc.id.goog/subject/ns/default/sa/test-sa \
--condition=None
And the response is:
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Request contains an invalid argument.
I'm not sure what argument is invalid in the above command since I'm following the docs suggestions.
Additionally when enabling the workload identity on GKE it says its supposed to setup a pool but when I run the following no pools have been created
gcloud iam workload-identity-pools list --location global
I was able to successfully set up a GKE Workload Identity using the document you’ve provided. For you to be able to run it successfully, make sure to use the correct Project Number, Project ID, Namespace and Kubernetes Service account.
To get the correct project name, number and ID use the command below:
gcloud projects describe PROJECT ID
To get the Namespace and KSA use this command:
kubectl get namespaces
kubectl get serviceaccount -n <namespace-name>
Hope this helps