👋 Hello, team! Im trying to use pulumi operator in GKE. This operator is trying to deploy resources in the GCP account where is running (cloud run functions). I have a GCP service account mapped to the K8s service account and GKE_METADATA enabled. When pulumi operator runs it uses the GCP ServiceAccount by default (gcp automatically created) instead of the one associated with the K8s service account. The GCP provider is created without creds. I was expecting pulumi to get the credentials from GKE_METADATA and use them. Do i have the wrong assumption? how can I ask pulumi to use the SA coming from K8s?

Did you figure this out?

Is working now, but can’t tell why. In the errors gcloud spitted the default account instead of the one I was really using, changing permissions seems to fix it (ended up using owner until i have time to be more granular). It doesn’t make sense to me that the logs tells me that im using the default account but giving permissions to the SA works… The more I work with GCP the less i trust their docs/logs/apis… 🙂