Configure the GKE nodes to use the default Compute Engine service account.

Enable Workload Identity for GKE. Assign a Kubernetes service account to the application and configure that Kubernetes service account to act as an Identity and Access Management (IAM) service account. Grant the required roles to the IAM service account.

Create a user-managed service account with only the roles required for the specific workload. Assign this service account to the GKE nodes.

Create an application-specific IAM service account and generate a user-managed service account key for it. Inject the key to the workload by storing it as a Kubernetes secret within the same namespace as the application.