You are configuring a GKE cluster that runs multiple microservices. One specific microservice (Pod A) needs to read data from a Cloud Storage bucket. You want to follow the principle of least privilege and avoid using long-lived service account keys. Which TWO steps are required to implement Workload Identity for this pod? (Select TWO)

Workload Identity is the recommended way for GKE applications to authenticate to Google Cloud services. It works by creating a relationship between a Kubernetes Service Account (KSA) and a Google Cloud Service Account (GSA). First, you create the GSA and give it the required IAM roles (Option A). Then, you create a KSA, annotate it, and create an IAM binding that allows the KSA to impersonate the GSA (Option D). The pod is then configured to run as the KSA.