Back to all scenarios
Scenario #349
Storage
GKE, Workload Identity enabled

VolumeProvisioningFailure on GKE Due to IAM Misconfiguration

CSI driver failed to provision new volumes due to missing IAM permissions, even though StorageClass was valid.

Find this helpful?
What Happened

GCP Persistent Disk CSI driver couldn't create disks because the service account lacked compute permissions.

Diagnosis Steps
  • 1Event logs: failed to provision volume with StorageClass: permission denied.
  • 2IAM policy lacked compute.disks.create.
Root Cause

CSI driver operated under workload identity with incorrect bindings.

Fix/Workaround
• Granted missing IAM permissions to the bound service account.
• Restarted CSI controller.
Lessons Learned

IAM and CSI need constant alignment in cloud environments.

How to Avoid
  • 1Use pre-flight IAM checks during cluster provisioning.
  • 2Bind GKE Workload Identity properly.
Previous ScenarioNext Scenario