Your development team is deploying a microservice to Google Kubernetes Engine (GKE). The microservice needs to read files from a Cloud Storage bucket. The security team strictly forbids the use of exported Service Account JSON keys due to the risk of credential leakage. How should you grant the GKE pods access to the Cloud Storage bucket?

Assign the required Cloud Storage IAM role to the GKE underlying Compute Engine node service account.

Store the Service Account JSON key in Kubernetes Secrets and mount it as a volume in the pod.

Enable Workload Identity on the GKE cluster. Bind a Kubernetes Service Account (KSA) to a Google Service Account (GSA) that has access to the bucket.

Configure VPC Service Controls to allow the GKE cluster's IP address to access the Cloud Storage bucket.