You are deploying a microservices application to GKE. One microservice needs to download files from a Cloud Storage bucket. You have an IAM service account with the Storage Object Viewer role on the project with the bucket. You need to configure your application to access the Cloud Storage bucket while following Google-recommended practices. What should you do?
Workload Identity is the Google-recommended best practice for securely accessing Google Cloud resources from GKE. By creating a Kubernetes service account and binding it to the IAM service account (using an IAM policy binding), you avoid the need to manage service account keys. This setup securely propagates credentials to your Pods, ensuring they can access the Cloud Storage bucket without exposing sensitive keys. This approach minimizes operational overhead while following the principle of least privilege.