Google Cloud has updated Workload Identity Federation for GKE, making it easier for users to secure their Kubernetes workloads. Previously, workloads needed to impersonate a Google Cloud service account with their Kubernetes service account (KSA). While this improved security, it was difficult to set up. With this update, Google Cloud IAM policies can now directly reference GKE workloads and Kubernetes service accounts, significantly simplifying setup. Additionally, the update enables deeper integration with Google Cloud’s IAM platform, giving Kubernetes identities first-class principal and principalSet representations within Google Cloud IAM. This means you can now see least privilege recommendations for your Kubernetes workloads and apply these recommendations directly to the Kubernetes principal within the IAM recommender. Furthermore, the new configuration supports principalSet notation, which enables attribute-based selection of multiple identities. As a result, you can now refer to multiple GKE workloads in a single IAM policy. For example, you can refer to all workloads or pods that belong to a Kubernetes namespace or all workloads or pods that belong to a Kubernetes cluster. However, there are a few limitations to be aware of. If any of these apply, you will need to continue to use the previous service account impersonation method to perform authentication. For example, a small number of Google Cloud services don’t yet support Workload and Workforce Identity Federation principals. Similarly, VPC Service Controls ingress and egress rules do not support Workload Identity Federation principal and principalSets. Finally, the specific permission to invoke a Cloud Run instance does not support Workload Identity Federation principal and principalSets.