This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

This document describes resolutions for commonmanaged workload identitieserrors.

You can check the status of a Pod by running the following command:

kubectldescribepod

Pod fails to be deployed with certificates

If the Google Kubernetes Engine (GKE) workload Pod has failed to be deployed withthe mounted certificates, use the following command to check the Pod status:

kubectl describe podPOD_NAME -nPOD_NAMESPACE

Permissions-related errors

This section describes errors related to incorrect permissions.

Permission denied while issuing the certificate: failed to issue the certificate from the GKE Auth

This error looks similar to the following:

Permission denied while issuing the certificate: failed to issue the certificate from the GKE Auth: rpc error: code = PermissionDenied desc = Permission 'privateca.certificates.createForSelf' denied on 'projects/PROJECT_NUMBER/locations/REGION/caPools/ CA_POOL_ID'

The error occurred because the workload identity pool is missing theCA Service Workload Certificate Requester role (roles/privateca.workloadCertificateRequester)on the subordinate CA pool.

To resolve this error, grant the role to the pool:

gcloudprivatecapoolsadd-iam-policy-bindingSUBORDINATE_CA_POOL_ID\--project=CA_POOL_PROJECT_ID\--location=REGION\--role=roles/privateca.workloadCertificateRequester\--member="principal://iam.googleapis.com/projects/CA_POOL_PROJECT_NUMBER/name/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog"

Replace the following:

• SUBORDINATE_CA_POOL_ID: the subordinate CA pool ID
• CA_POOL_PROJECT_ID: the project ID of the root CA pool
• REGION: the subordinate CA region
• CA_POOL_PROJECT_NUMBER: the CA pool project number
• PROJECT_ID: the workload identity pool project ID

MountVolume.SetUp failed for volume

This error looks similar to the following:

MountVolume.SetUp failed for volume "fleet-spiffe-credentials" : rpc error: code = Internal desc = unable to mount volume: while creating volume: while loading trust bundles: rpc error: code = Internal desc = while getting trust map from the trustBundleWatcher: rpc error: code = Internal desc = no GKEClusterTrustBundle objects found with fleet WIP nickname fleet-project/svc.id.goog

This error occurred because the workload identity pool is missing thePrivate CA Pool Reader role (roles/privateca.poolReader) on the subordinateCA pool.

To resolve this error, grant the role to the pool and wait a few minutes for thetrust bundles to be loaded:

gcloudprivatecapoolsadd-iam-policy-bindingSUBORDINATE_CA_POOL_ID\--location=REGION\--role=roles/privateca.poolReader\--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/name/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog"

Replace the following:

• SUBORDINATE_CA_POOL_ID: the subordinate CA pool ID
• REGION: the subordinate CA region
• PROJECT_NUMBER: the workload identity pool projectnumber
• PROJECT_ID: the workload identity pool project ID

You can use the following command to check the existence of the trust bundles:

kubectlgetgkeclustertrustbundle

When the trust bundles are loaded, the response looks like the following:

NAME                                         AGEsvc.id.goog-PROJECT_ID.svc.id.goog   5m35s

In the output,PROJECT_ID is the project ID of thefleet that your trust root is associated with.

Certificate errors

The errors in this section are related to certificate configuration.

Several errors can occur if managed workload identity certificates aren'tgenerated. To check for the existence of these certificates on Pod-mountedvolumes, do the following:

1. Connect to the pod.

   # Open the pod sh interfacekubectlexec-it$pod_name-n$pod_namespace--sh

2. List and inspect the credential files.

   # Look up the volume contents:ls-la/var/run/secrets/workload-spiffe-credentialscat/var/run/secrets/workload-spiffe-credentials/certificates.pemcat/var/run/secrets/workload-spiffe-credentials/ca_certificates.pemcat/var/run/secrets/workload-spiffe-credentials/private_key.pemcat/var/run/secrets/workload-spiffe-credentials/trust_bundles.json

You can also inspect a Pod's certificate provision status by inspectingk8s_container logs for the `gke-metadata-server container through theGoogle Cloud console.

Failed precondition while issuing the certificate

The Pod description can include the following message:

Failed precondition while issuing the certificate: failed to issue the certificate from the GKE Auth: rpc error: code = FailedPrecondition

This error occurred because the workload identity pool wasn't configured with acertificate issuance configuration (CIC).

To resolve this error,create a CICand use it toupdate the workload identity pool.