GKE access control consists of two separate identity pieces - Cloud Identity (Cloud IAM) and Native Kubernetes IAM (Kube Identity)

Each of these (Cloud IAM and Kube RBAC) - have the notion of a service account. These are used for different purposes .

What is workload Identity?

To tie these two distinct service accounts together, we need yet another identity. This is the Workload Identity.

Appendix- Cloud  IAM Roles for GKE -> GKE Viewer, GKE admin, GKE developer , GKE cluster admin  - no access to nodes within the clusters