How to fix Error authenticating with Workload Identity: unable to generate access token in Kubernetes

What this error means

Workload Identity allows Kubernetes service accounts to impersonate Google Cloud service accounts. This error occurs when the binding between KSA and GSA is incomplete or misconfigured. Pods try to authenticate with Google Cloud APIs but fail because the trust relationship is not established or IAM permissions are missing.

Typical symptoms

• Pods fail to authenticate with Google Cloud services
• Error: "unable to generate access token" in pod logs
• gcloud CLI inside pods returns "gcloud: command not found" or auth errors
• Application fails with permission denied accessing GCS, BigQuery, or other Google APIs
• Workload Identity webhook pod not running or crashing
• Service account annotations show in pod spec but authentication still fails
• Different error per pod: some succeed, others fail

Common causes

1. KSA (Kubernetes service account) not annotated with GSA email
2. GSA (Google service account) missing IAM bindings to KSA
3. Workload Identity webhook not enabled or not running
4. Namespace missing Workload Identity annotation
5. IAM role insufficient for required API operations
6. KSA and GSA in different projects without cross-project trust
7. Pod spec not using correct service account

How to fix "Error authenticating with Workload Identity: unable to generate access token"

Advanced notes

Related errors

• Failed to connect to server: connection refused (HTTP/2)

  How to fix "HTTP/2 connection refused" error in Kubernetes

  HIGH

• missing request for cpu in container

  How to fix "missing request for cpu in container" in Kubernetes HPA

  HIGH

• error: invalid configuration

  How to fix "error: invalid configuration" in Kubernetes

  HIGH

Official resources & further reading

• 📚Kubernetes Official Documentation
• 📖
  Kubernetes API Reference(Official Docs)
• 📖
  Kubernetes Tasks: Run Applications(Official Docs)
• 💬
  Stack Overflow: Kubernetes gke workload identity error(Stack Overflow)
• 🐙
  Kubernetes GitHub Issues(GitHub)