Following google docs on how to setup workload identity: . I have enabled the GKE metadata server on all nodes as well as Workload Identity feature on the cluster level. However when attempting to add a IAM binding policy I get INVALID_ARGUMENT: Request contains an invalid argument.. A K8s service account named test-sa was already created in the default namespace. Example command

gcloud projects add-iam-policy-binding projects/my-project \
    --role=roles/container.clusterViewer \
    --member=principal://iam.googleapis/projects/my-project-number/locations/global/workloadIdentityPools/my-project-id.svc.id.goog/subject/ns/default/sa/test-sa \
    --condition=None

And the response is:

ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Request contains an invalid argument.

I'm not sure what argument is invalid in the above command since I'm following the docs suggestions.

Additionally when enabling the workload identity on GKE it says its supposed to setup a pool but when I run the following no pools have been created

gcloud iam workload-identity-pools list --location global

Following google docs on how to setup workload identity: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity. I have enabled the GKE metadata server on all nodes as well as Workload Identity feature on the cluster level. However when attempting to add a IAM binding policy I get INVALID_ARGUMENT: Request contains an invalid argument.. A K8s service account named test-sa was already created in the default namespace. Example command

gcloud projects add-iam-policy-binding projects/my-project \
    --role=roles/container.clusterViewer \
    --member=principal://iam.googleapis.com/projects/my-project-number/locations/global/workloadIdentityPools/my-project-id.svc.id.goog/subject/ns/default/sa/test-sa \
    --condition=None

And the response is:

ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Request contains an invalid argument.

I'm not sure what argument is invalid in the above command since I'm following the docs suggestions.

Additionally when enabling the workload identity on GKE it says its supposed to setup a pool but when I run the following no pools have been created

gcloud iam workload-identity-pools list --location global

• google-cloud-platform
• google-kubernetes-engine
• google-iam

• gcloud projects add-iam-policy-binding requires a Project ID (you have projects/my-project). I think the documentation is incorrect on this point. – DazWilkin Commented Feb 5 at 19:50
• I've tried removing the leading prefix projects/ but still get the same response. – Chris Recalis Commented Feb 6 at 1:37
• It's difficult to provide guidance absent (a) a minimal repro of your issue; (b) the complexity in the process. I can only encourage you to go through the documentation step-by-step preferably using a script and environment variables to represent the state and see whether you can uncover your issue. Good luck! – DazWilkin Commented Feb 6 at 17:59

1 Answer 1

I was able to successfully set up a GKE Workload Identity using the document you’ve provided. For you to be able to run it successfully, make sure to use the correct Project Number, Project ID, Namespace and Kubernetes Service account.

To get the correct project name, number and ID use the command below:

gcloud projects describe PROJECT ID

To get the Namespace and KSA use this command:

kubectl get namespaces

kubectl get serviceaccount -n <namespace-name>

Hope this helps