diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md
index 71f349e49c..40a32eccf6 100644
--- a/modules/workload-identity/README.md
+++ b/modules/workload-identity/README.md
@@ -100,7 +100,7 @@ already bear the `"iam.gke.io/gcp-service-account"` annotation.
 | cluster\_name | Cluster name. Required if using existing KSA. | `string` | `""` | no |
 | gcp\_sa\_name | Name for the Google service account; overrides `var.name`. | `string` | `null` | no |
 | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
-| k8s\_sa\_name | Name for the Kubernetes service account; overrides `var.name`. | `string` | `null` | no |
+| k8s\_sa\_name | Name for the Kubernetes service account; overrides `var.name`. `cluster_name` and `location` must be set when this input is specified. | `string` | `null` | no |
 | location | Cluster location (region if regional cluster, zone if zonal cluster). Required if using existing KSA. | `string` | `""` | no |
 | name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | `string` | n/a | yes |
 | namespace | Namespace for the Kubernetes service account | `string` | `"default"` | no |
diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf
index 315c85fd5d..d19c2c9b68 100644
--- a/modules/workload-identity/variables.tf
+++ b/modules/workload-identity/variables.tf
@@ -49,7 +49,7 @@ variable "location" {
 }
 
 variable "k8s_sa_name" {
-  description = "Name for the Kubernetes service account; overrides `var.name`."
+  description = "Name for the Kubernetes service account; overrides `var.name`. `cluster_name` and `location` must be set when this input is specified."
   type        = string
   default     = null
 }