I deployed this in a cluster with Workload Identity enabled but got a permissions error when I tried to publish to a topic that the associated service account had permissions for.
By explicitly creating a key for the service account and providing it as the json_key_file (as I would do in a cluster without Workload Identity) it worked, so I don't think there was anything wrong with the permissions themselves, just that the plugin isn't "Workload Identity-aware".
The workaround is simple so the impact is just a little extra work to get it up and running and some extra kubernetes cruft in our terraform for provisioning the cluster, which was a shame because Workload Identity had previously done away with that.
I deployed this in a cluster with Workload Identity enabled but got a permissions error when I tried to publish to a topic that the associated service account had permissions for.
By explicitly creating a key for the service account and providing it as the json_key_file (as I would do in a cluster without Workload Identity) it worked, so I don't think there was anything wrong with the permissions themselves, just that the plugin isn't "Workload Identity-aware".
The workaround is simple so the impact is just a little extra work to get it up and running and some extra kubernetes cruft in our terraform for provisioning the cluster, which was a shame because Workload Identity had previously done away with that.