Skip to content

Workload Identity (GKE)

This article shows you how to enable Workload Identity on your Google Kubernetes Engine (GKE) clusters.

Make sure you have completed the following tasks before beginning:

  1. Enable the Google Kubernetes Engine API.
  2. Ensure that you have enabled the IAM Service Account Credentials API.
  3. Ensure that you have the following IAM roles:
  4. roles/container.admin
  5. roles/iam.serviceAccountAdmin

You can enable Workload Identity on clusters using the Google Cloud CLI or the Google Cloud console.

Create a new cluster

To enable Workload Identity on a new cluster, do the following: 1. Go to the Google Kubernetes Engine page in the Google Cloud console. 2. In the Create cluster dialog, for GKE Standard, click Configure. 3. From the navigation pane, under Cluster, click Security. 4. Select the Enable Workload Identity checkbox. 5. Configure your cluster as needed. 6. Click Create.

Update an existing cluster

To enable Workload Identity on an existing cluster, do the following:

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.
  2. In the cluster list on the Google Kubernetes Engine page, click the name of the cluster you want to modify.
  3. On the Details tab, locate the Security section.
  4. For the Workload Identity field, click edit Edit Workload Identity.
  5. In the Edit Workload Identity dialog, select the Enable Workload Identity checkbox.
  6. Click Save Changes.