vmware-tanzu · s3than · Mar 27, 2026
diff --git a/velero-plugin-for-gcp/object_store.go b/velero-plugin-for-gcp/object_store.go
@@ -158,9 +158,13 @@ func (o *ObjectStore) Init(config map[string]string) error {
 		if err != nil {
 			return errors.WithStack(err)
 		}
-		if o.fileCredType == serviceAccountKey {
+		switch o.fileCredType {
+		case serviceAccountKey:
 			// Using Credentials File
 			err = o.initFromKeyFile(creds)
+		case externalAccountKey:
+			// Using Workload Identity Federation - read serviceAccount from BSL config for signing
+			err = o.initFromComputeEngine(config)
 		}
 	} else {
 		// Using compute engine credentials. Use this if workload identity is enabled.

diff --git a/velero-plugin-for-gcp/object_store_test.go b/velero-plugin-for-gcp/object_store_test.go
@@ -158,6 +158,13 @@ func TestObjectExists(t *testing.T) {
 	}
 }
 
+func TestCreateSignedURL_emptyGoogleAccessID(t *testing.T) {
+	o := newObjectStore(velerotest.NewLogger())
+	// googleAccessID is empty — simulates external_account credentials with no serviceAccount in BSL config
+	_, err := o.CreateSignedURL("bucket", "key", 0)
+	require.EqualError(t, err, "GoogleAccessID is empty, perhaps using external_account credentials, cannot create signed URL")
+}
+
 func Test_getSecretAccountKey(t *testing.T) {
 	type args struct {
 		secretByte []byte