Prometheus scaler cannot authenticate to GCP Managed Prometheus using Workload Identity after PubSub trigger deprecation

[amer-idwise]

Environment

• KEDA version: v2.x
• Kubernetes: GKE
• Authentication: GKE Workload Identity
• Cloud provider: GCP
• Metrics backend: Google Cloud Managed Service for Prometheus
• Trigger type: prometheus

---

Context

After the deprecation of the native GCP PubSub triggers, the recommended approach is to use the prometheus scaler against Google Managed Prometheus, as documented here:
https://keda.sh/blog/2025-09-15-gcp-deprecations/

The example configuration requires credentialsFromEnv, which assumes a JSON service account key. This conflicts with GKE Workload Identity, where no JSON key should be used and authentication should rely on the pod identity instead.

---

ScaledObject trigger example

- type: prometheus
  metadata:
    serverAddress: https://monitoring.googleapis.com/v1/projects/my-keda-project/location/global/prometheus
    query: '{"__name__"="cloudtasks.googleapis.com/queue/depth","monitored_resource"="cloud_tasks_queue","queue_id"="consumer-queue"}'
    threshold: "5"
    activationThreshold: "0"
    credentialsFromEnv: GOOGLE_APPLICATION_CREDENTIALS_JSON

The issue is that credentialsFromEnv requires a JSON credentials payload, while in GKE the expected approach is Workload Identity without static credentials.

---

KEDA operator Workload Identity setup

Helm values used when deploying KEDA:

serviceAccount:
  operator:
    annotations:
      iam.gke.io/gcp-service-account: {GCP_SA}@{PROJECTID}.iam.gserviceaccount.com

IAM binding applied:

gcloud iam service-accounts add-iam-policy-binding \
  {GCP_SA}@{PROJECTID}.iam.gserviceaccount.com \
  --role=roles/iam.workloadIdentityUser \
  --member="serviceAccount:{PROJECTID}.svc.id.goog[keda/keda-operator]"

The GCP service account has the required Monitoring permissions.

---

Observed behavior

The Prometheus scaler fails to authenticate when querying Google Managed Prometheus.

Event on the ScaledObject:

KEDAScalerFailed: prometheus query api returned error.
status: 401
response:
{
  "error": {
    "code": 401,
    "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential.",
    "status": "UNAUTHENTICATED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "CREDENTIALS_MISSING",
        "domain": "googleapis.com",
        "metadata": {
          "service": "monitoring.googleapis.com",
          "method": "google.monitoring.prometheus.v1.PrometheusUpstream.QueryInstant"
        }
      }
    ]
  }
}

---

Expected behavior

The Prometheus scaler should be able to authenticate to Google Managed Prometheus using the KEDA operator pod identity via GKE Workload Identity, without requiring credentialsFromEnv or a JSON service account key.

---

Problem summary

• credentialsFromEnv enforces JSON based credentials
• GKE Workload Identity does not use JSON keys
• There is no documented or supported way to tell the Prometheus scaler to rely on ambient GCP credentials
• This blocks migration from deprecated GCP PubSub triggers to the recommended Prometheus based approach on GKE

---

Questions

• Is Workload Identity supported for the Prometheus scaler when querying Google Managed Prometheus?
• If yes, how should the trigger be configured without credentialsFromEnv?
• If not, is there a planned enhancement to support native GCP authentication flows for this use case?

---

References

• PubSub trigger deprecation blog: https://keda.sh/blog/2025-09-15-gcp-deprecations/
• Similar issue for context: Does KEDA support IAM based authentication for AWS postgres #7206

Edit

I noticed that KEDA documents support for GCP Workload Identity as described here:
https://keda.sh/docs/2.18/authentication-providers/gcp-workload-identity/

Based on that, I redeployed KEDA using Helm with explicit GCP pod identity configuration.

Helm values used:

serviceAccount:
  operator:
    annotations:
      iam.gke.io/gcp-service-account: {GCP_SA}@{PROJECTID}.iam.gserviceaccount.com

podIdentity:
  provider: gcp
  gcp:
    enabled: true
    gcpIAMServiceAccount: "{GCP_SA}@{PROJECTID}.iam.gserviceaccount.com"

Deployment command:

helm upgrade --install keda kedacore/keda \
  -n keda \
  --create-namespace \
  --version 2.18.3 \
  -f keda-values.yaml

Despite enabling GCP pod identity explicitly, the Prometheus scaler still fails to authenticate against Google Managed Prometheus.

The same error persists:

prometheus query api returned error. status: 401 response:
{
  "error": {
    "code": 401,
    "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential.",
    "status": "UNAUTHENTICATED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "CREDENTIALS_MISSING",
        "domain": "googleapis.com",
        "metadata": {
          "method": "google.monitoring.prometheus.v1.PrometheusUpstream.QueryInstant",
          "service": "monitoring.googleapis.com"
        }
      }
    ]
  }
}

And also observed as:

prometheus query api returned error. status: 401 response:
{
  "error": {
    "code": 401,
    "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential.",
    "status": "UNAUTHENTICATED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "CREDENTIALS_MISSING",
        "domain": "googleapis.com",
        "metadata": {
          "service": "monitoring.googleapis.com",
          "method": "google.monitoring.prometheus.v1.PrometheusUpstream.QueryInstant"
        }
      }
    ]
  }
}