I have not been having any luck with my case via GCP Support, so figured I would ask this of the wider community to see if anyone can help put me on the right path.
I, no matter what I try, cannot pull Artifact Registry (private) images via Workload Identity.
Here are the relevant configs and logs. My service account (artifact-registry-sa) has overly permissive permissions for the sake of troubleshooting, but currently has:
* Added by support recommendation
I have also tried utilizing the service accounts the nodes were created using which again has the overly permissive role of roles/editor. Support recommended I proceed with this documentation. Which I pointed out has me manually SSH-ing into nodes--which is not possible with autoscaling nodes--as well as not utilizing Workload Identity at all which is the entire point of the case. If I wanted this to work I would just use a static JSON service account key and be done with it. That's not acceptable from a security standpoint for my organization.
I am chasing my tail here and am really at a loss. According to the documentation this should "just work". I have other services such as cert-manager and external-dns successfully using Workload Identity.
The SA is annotated and mapped correctly (as far as I can tell) to the GCP SA. The deployment and the SA are in the same namespace so that should not be an issue.
Does anyone have anything to check or try? Anyone else experienced/ing anything similar?
The solution ended up being that you have to specify the use of the default service account:
...
spec:
serviceAccountName: default
In my testing I was leaving it off and assuming it would use the default.