Unable to setup GKE workload identity invalid argument

Question

Following google docs on how to setup workload identity: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity. I have enabled the GKE metadata server on all nodes as well as Workload Identity feature on the cluster level. However when attempting to add a IAM binding policy I get INVALID_ARGUMENT: Request contains an invalid argument.. A K8s service account named test-sa was already created in the default namespace. Example command

gcloud projects add-iam-policy-binding projects/my-project \
    --role=roles/container.clusterViewer \
    --member=principal://iam.googleapis.com/projects/my-project-number/locations/global/workloadIdentityPools/my-project-id.svc.id.goog/subject/ns/default/sa/test-sa \
    --condition=None

And the response is:

ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Request contains an invalid argument.

I'm not sure what argument is invalid in the above command since I'm following the docs suggestions.

Additionally when enabling the workload identity on GKE it says its supposed to setup a pool but when I run the following no pools have been created

gcloud iam workload-identity-pools list --location global

Answer 1

I was able to successfully set up a GKE Workload Identity using the document you’ve provided. For you to be able to run it successfully, make sure to use the correct Project Number, Project ID, Namespace and Kubernetes Service account.

To get the correct project name, number and ID use the command below:

gcloud projects describe PROJECT ID

To get the Namespace and KSA use this command:

kubectl get namespaces

kubectl get serviceaccount -n <namespace-name>

Hope this helps