diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
index 7d0b652e96..b969e19f08 100644
--- a/modules/workload-identity/main.tf
+++ b/modules/workload-identity/main.tf
@@ -15,16 +15,17 @@
  */
 
 locals {
-  k8s_sa_gcp_derived_name = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${var.name}]"
+  k8s_sa_gcp_derived_name = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]"
 
   # This will cause terraform to block returning outputs until the service account is created
-  output_k8s_name      = var.use_existing_k8s_sa ? var.name : kubernetes_service_account.main[0].metadata[0].name
+  k8s_given_name       = var.k8s_sa_name != null ? var.k8s_sa_name : var.name
+  output_k8s_name      = var.use_existing_k8s_sa ? local.k8s_given_name : kubernetes_service_account.main[0].metadata[0].name
   output_k8s_namespace = var.use_existing_k8s_sa ? var.namespace : kubernetes_service_account.main[0].metadata[0].namespace
 }
 
 resource "google_service_account" "cluster_service_account" {
   account_id   = var.name
-  display_name = substr("GCP SA bound to K8S SA ${local.k8s_sa_gcp_derived_name}", 0, 100)
+  display_name = substr("GCP SA bound to K8S SA ${local.k8s_given_name}", 0, 100)
   project      = var.project_id
 }
 
@@ -40,6 +41,8 @@ resource "kubernetes_service_account" "main" {
   }
 }
 
+# TODO: add the annotation to existing service accounts automatically
+
 resource "google_service_account_iam_member" "main" {
   service_account_id = google_service_account.cluster_service_account.name
   role               = "roles/iam.workloadIdentityUser"
diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf
index 6e7cf6f7e5..db991097a8 100644
--- a/modules/workload-identity/variables.tf
+++ b/modules/workload-identity/variables.tf
@@ -19,6 +19,12 @@ variable "name" {
   type        = string
 }
 
+variable "k8s_sa_name" {
+  description = "Name for the existing Kubernetes service account"
+  type        = string
+  default     = null
+}
+
 variable "namespace" {
   description = "Namespace for k8s service account"
   default     = "default"