Binding Google Service Account with Kubernetes Cluster Service Account in GKE cluster across GCP projects

I've built a Google Kubernetes Engine (GKE) cluster in a GCP project.

According to the different use cases of applications running on the cluster, I associated the applications with the different service accounts and the different granted permissions. To do so, I bound Google Service Account (GSA) with the Kubernetes Cluster Service Account (KSA) as follows:

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "[K8S_NAMESPACE/KSA_NAME]" \
kubectl annotate serviceaccount \
  --namespace K8S_NAMESPACE \


Everything I have explained works normally.

Currently, there are many GKE clusters in different projects. Furthermore, the service accounts assigned with the applications are supposed to be created in the same project that hosts the GKE clusters. I am planning to do the GSA centralisation for KSA into one GCP project.


  1. Would it be possible to build a GKE cluster in a project and create a GSA for an application running on the GKE cluster in another project?

  2. If so, what roles do I have to grant the GSA associated with the GKE cluster? in order to access the GSAs in the other project and bind them with KSA.

Note: This thread is only about the Google Service Account (GSA) associated with the application running on a GKE cluster, not about the Google Service Account (GSA) associated with the GKE cluster

And how to bind Google Service Account (GSA) in a GCP project with Kubernetes Cluster Service Account (KSA) in the GKE cluster in another GCP project

Read more here:

Content Attribution

This content was originally published by E. S. at Recent Questions - Stack Overflow, and is syndicated here via their RSS feed. You can read the original post over there.

%d bloggers like this: