diff --git a/autogen/main/dns.tf.tmpl b/autogen/main/dns.tf.tmpl
index a63df04ef..b8c9dd76a 100644
--- a/autogen/main/dns.tf.tmpl
+++ b/autogen/main/dns.tf.tmpl
@@ -20,14 +20,14 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version          = "~> 2.0.2"
-  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  cluster_name     = google_container_cluster.primary.name
-  cluster_location = google_container_cluster.primary.location
-  project_id       = var.project_id
-  upgrade          = var.gcloud_upgrade
-
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name                = google_container_cluster.primary.name
+  cluster_location            = google_container_cluster.primary.location
+  project_id                  = var.project_id
+  upgrade                     = var.gcloud_upgrade
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   kubectl_destroy_command = ""
diff --git a/dns.tf b/dns.tf
index 76a73f14e..3aafda726 100644
--- a/dns.tf
+++ b/dns.tf
@@ -20,14 +20,14 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version          = "~> 2.0.2"
-  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  cluster_name     = google_container_cluster.primary.name
-  cluster_location = google_container_cluster.primary.location
-  project_id       = var.project_id
-  upgrade          = var.gcloud_upgrade
-
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name                = google_container_cluster.primary.name
+  cluster_location            = google_container_cluster.primary.location
+  project_id                  = var.project_id
+  upgrade                     = var.gcloud_upgrade
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   kubectl_destroy_command = ""
diff --git a/modules/asm/README.md b/modules/asm/README.md
index c7282f6f0..10100b628 100644
--- a/modules/asm/README.md
+++ b/modules/asm/README.md
@@ -64,6 +64,7 @@ To deploy this config:
 | enable\_gcp\_iam\_roles | Sets `--enable_gcp_iam_roles` option if true. | `bool` | `false` | no |
 | enable\_registration | Sets `--enable_registration` option if true. | `bool` | `false` | no |
 | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no |
+| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
 | key\_file | The GCP Service Account credentials file path used to deploy ASM. | `string` | `""` | no |
 | location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes |
 | managed\_control\_plane | ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional. | `bool` | `false` | no |
diff --git a/modules/asm/main.tf b/modules/asm/main.tf
index b58837b1f..9bb9fb917 100644
--- a/modules/asm/main.tf
+++ b/modules/asm/main.tf
@@ -32,16 +32,17 @@ locals {
 
 module "asm_install" {
   source            = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version           = "~> 2.0.2"
+  version           = "~> 2.1.0"
   module_depends_on = [var.cluster_endpoint]
 
-  gcloud_sdk_version       = var.gcloud_sdk_version
-  upgrade                  = true
-  additional_components    = ["kubectl", "kpt", "beta", "kustomize"]
-  cluster_name             = var.cluster_name
-  cluster_location         = var.location
-  project_id               = var.project_id
-  service_account_key_file = var.service_account_key_file
+  gcloud_sdk_version          = var.gcloud_sdk_version
+  upgrade                     = true
+  additional_components       = ["kubectl", "kpt", "beta", "kustomize"]
+  cluster_name                = var.cluster_name
+  cluster_location            = var.location
+  project_id                  = var.project_id
+  service_account_key_file    = var.service_account_key_file
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_apis} ${var.enable_gcp_iam_roles} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${local.service_account_string} ${local.key_file_string} ${local.asm_git_tag_string}"
   kubectl_destroy_command = "kubectl delete ns istio-system"
diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf
index 151fc1d7b..1c53e5eb6 100644
--- a/modules/asm/variables.tf
+++ b/modules/asm/variables.tf
@@ -87,6 +87,12 @@ variable "managed_control_plane" {
   default     = false
 }
 
+variable "impersonate_service_account" {
+  type        = string
+  description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
+  default     = ""
+}
+
 variable "options" {
   description = "Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features."
   type        = list
diff --git a/modules/beta-private-cluster-update-variant/dns.tf b/modules/beta-private-cluster-update-variant/dns.tf
index 76a73f14e..3aafda726 100644
--- a/modules/beta-private-cluster-update-variant/dns.tf
+++ b/modules/beta-private-cluster-update-variant/dns.tf
@@ -20,14 +20,14 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version          = "~> 2.0.2"
-  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  cluster_name     = google_container_cluster.primary.name
-  cluster_location = google_container_cluster.primary.location
-  project_id       = var.project_id
-  upgrade          = var.gcloud_upgrade
-
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name                = google_container_cluster.primary.name
+  cluster_location            = google_container_cluster.primary.location
+  project_id                  = var.project_id
+  upgrade                     = var.gcloud_upgrade
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   kubectl_destroy_command = ""
diff --git a/modules/beta-private-cluster/dns.tf b/modules/beta-private-cluster/dns.tf
index 76a73f14e..3aafda726 100644
--- a/modules/beta-private-cluster/dns.tf
+++ b/modules/beta-private-cluster/dns.tf
@@ -20,14 +20,14 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version          = "~> 2.0.2"
-  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  cluster_name     = google_container_cluster.primary.name
-  cluster_location = google_container_cluster.primary.location
-  project_id       = var.project_id
-  upgrade          = var.gcloud_upgrade
-
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name                = google_container_cluster.primary.name
+  cluster_location            = google_container_cluster.primary.location
+  project_id                  = var.project_id
+  upgrade                     = var.gcloud_upgrade
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   kubectl_destroy_command = ""
diff --git a/modules/beta-public-cluster-update-variant/dns.tf b/modules/beta-public-cluster-update-variant/dns.tf
index 76a73f14e..3aafda726 100644
--- a/modules/beta-public-cluster-update-variant/dns.tf
+++ b/modules/beta-public-cluster-update-variant/dns.tf
@@ -20,14 +20,14 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version          = "~> 2.0.2"
-  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  cluster_name     = google_container_cluster.primary.name
-  cluster_location = google_container_cluster.primary.location
-  project_id       = var.project_id
-  upgrade          = var.gcloud_upgrade
-
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name                = google_container_cluster.primary.name
+  cluster_location            = google_container_cluster.primary.location
+  project_id                  = var.project_id
+  upgrade                     = var.gcloud_upgrade
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   kubectl_destroy_command = ""
diff --git a/modules/beta-public-cluster/dns.tf b/modules/beta-public-cluster/dns.tf
index 76a73f14e..3aafda726 100644
--- a/modules/beta-public-cluster/dns.tf
+++ b/modules/beta-public-cluster/dns.tf
@@ -20,14 +20,14 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version          = "~> 2.0.2"
-  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  cluster_name     = google_container_cluster.primary.name
-  cluster_location = google_container_cluster.primary.location
-  project_id       = var.project_id
-  upgrade          = var.gcloud_upgrade
-
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name                = google_container_cluster.primary.name
+  cluster_location            = google_container_cluster.primary.location
+  project_id                  = var.project_id
+  upgrade                     = var.gcloud_upgrade
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   kubectl_destroy_command = ""
diff --git a/modules/hub/main.tf b/modules/hub/main.tf
index 16e588291..428d4d8e5 100644
--- a/modules/hub/main.tf
+++ b/modules/hub/main.tf
@@ -72,7 +72,7 @@ resource "google_service_account_key" "gke_hub_key" {
 
 module "gke_hub_registration" {
   source  = "terraform-google-modules/gcloud/google"
-  version = "~> 2.0.2"
+  version = "~> 2.1.0"
 
   platform                          = "linux"
   gcloud_sdk_version                = var.gcloud_sdk_version
diff --git a/modules/k8s-operator-crd-support/main.tf b/modules/k8s-operator-crd-support/main.tf
index 3d72a2089..60536b8cd 100644
--- a/modules/k8s-operator-crd-support/main.tf
+++ b/modules/k8s-operator-crd-support/main.tf
@@ -34,7 +34,7 @@ locals {
 
 module "k8sop_manifest" {
   source  = "terraform-google-modules/gcloud/google"
-  version = "~> 2.0.2"
+  version = "~> 2.1.0"
   enabled = local.should_download_manifest
 
   create_cmd_entrypoint  = "gsutil"
@@ -45,14 +45,15 @@ module "k8sop_manifest" {
 
 
 module "k8s_operator" {
-  source                   = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version                  = "~> 2.0.2"
-  module_depends_on        = [module.k8sop_manifest.wait, var.cluster_endpoint]
-  cluster_name             = var.cluster_name
-  cluster_location         = var.location
-  project_id               = var.project_id
-  service_account_key_file = var.service_account_key_file
-  use_existing_context     = var.use_existing_context
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  module_depends_on           = [module.k8sop_manifest.wait, var.cluster_endpoint]
+  cluster_name                = var.cluster_name
+  cluster_location            = var.location
+  project_id                  = var.project_id
+  service_account_key_file    = var.service_account_key_file
+  use_existing_context        = var.use_existing_context
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "kubectl apply -f ${local.manifest_path}"
   kubectl_destroy_command = "kubectl delete -f ${local.manifest_path}"
@@ -67,15 +68,16 @@ resource "tls_private_key" "k8sop_creds" {
 
 module "k8sop_creds_secret" {
   source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version = "~> 2.0.2"
+  version = "~> 2.1.0"
 
-  enabled                  = var.create_ssh_key == true || var.ssh_auth_key != null ? "true" : "false"
-  module_depends_on        = [module.k8s_operator.wait]
-  cluster_name             = var.cluster_name
-  cluster_location         = var.location
-  project_id               = var.project_id
-  service_account_key_file = var.service_account_key_file
-  use_existing_context     = var.use_existing_context
+  enabled                     = var.create_ssh_key == true || var.ssh_auth_key != null ? "true" : "false"
+  module_depends_on           = [module.k8s_operator.wait]
+  cluster_name                = var.cluster_name
+  cluster_location            = var.location
+  project_id                  = var.project_id
+  service_account_key_file    = var.service_account_key_file
+  use_existing_context        = var.use_existing_context
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = local.private_key != null ? "kubectl create secret generic ${var.operator_credential_name} -n=${var.operator_credential_namespace} --from-literal=${local.k8sop_creds_secret_key}='${local.private_key}'" : ""
   kubectl_destroy_command = "kubectl delete secret ${var.operator_credential_name} -n=${var.operator_credential_namespace}"
@@ -102,15 +104,16 @@ data "template_file" "k8sop_config" {
 }
 
 module "k8sop_config" {
-  source                   = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version                  = "~> 2.0.2"
-  module_depends_on        = [module.k8s_operator.wait, module.k8sop_creds_secret.wait]
-  cluster_name             = var.cluster_name
-  cluster_location         = var.location
-  project_id               = var.project_id
-  create_cmd_triggers      = { configmanagement = data.template_file.k8sop_config.rendered }
-  service_account_key_file = var.service_account_key_file
-  use_existing_context     = var.use_existing_context
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  module_depends_on           = [module.k8s_operator.wait, module.k8sop_creds_secret.wait]
+  cluster_name                = var.cluster_name
+  cluster_location            = var.location
+  project_id                  = var.project_id
+  create_cmd_triggers         = { configmanagement = data.template_file.k8sop_config.rendered }
+  service_account_key_file    = var.service_account_key_file
+  use_existing_context        = var.use_existing_context
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "kubectl apply -f - <<EOF\n${data.template_file.k8sop_config.rendered}EOF"
   kubectl_destroy_command = "kubectl delete -f - <<EOF\n${data.template_file.k8sop_config.rendered}EOF"
@@ -133,7 +136,7 @@ data "template_file" "rootsync_config" {
 
 module "wait_for_configsync_api" {
   source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version = "~> 2.0.2"
+  version = "~> 2.1.0"
   enabled = var.enable_multi_repo
 
   module_depends_on = [module.k8sop_config.wait]
@@ -153,32 +156,34 @@ module "wait_for_configsync_api" {
 
 module "rootsync_config" {
   source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version = "~> 2.0.2"
+  version = "~> 2.1.0"
   enabled = var.enable_multi_repo
 
-  module_depends_on        = [module.wait_for_configsync_api.wait]
-  cluster_name             = var.cluster_name
-  project_id               = var.project_id
-  cluster_location         = var.location
-  create_cmd_triggers      = { rootsync = data.template_file.rootsync_config.rendered }
-  service_account_key_file = var.service_account_key_file
-  use_existing_context     = var.use_existing_context
+  module_depends_on           = [module.wait_for_configsync_api.wait]
+  cluster_name                = var.cluster_name
+  project_id                  = var.project_id
+  cluster_location            = var.location
+  create_cmd_triggers         = { rootsync = data.template_file.rootsync_config.rendered }
+  service_account_key_file    = var.service_account_key_file
+  use_existing_context        = var.use_existing_context
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "kubectl apply -f - <<EOF\n${data.template_file.rootsync_config.rendered}EOF"
   kubectl_destroy_command = "kubectl delete -f - <<EOF\n${data.template_file.rootsync_config.rendered}EOF"
 }
 
 module "wait_for_gatekeeper" {
-  source                   = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version                  = "~> 2.0.2"
-  enabled                  = var.enable_policy_controller ? true : false
-  module_depends_on        = [module.k8sop_config.wait]
-  cluster_name             = var.cluster_name
-  cluster_location         = var.location
-  project_id               = var.project_id
-  create_cmd_triggers      = { script_sha1 = sha1(file("${path.module}/scripts/wait_for_gatekeeper.sh")) }
-  service_account_key_file = var.service_account_key_file
-  use_existing_context     = var.use_existing_context
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = var.enable_policy_controller ? true : false
+  module_depends_on           = [module.k8sop_config.wait]
+  cluster_name                = var.cluster_name
+  cluster_location            = var.location
+  project_id                  = var.project_id
+  create_cmd_triggers         = { script_sha1 = sha1(file("${path.module}/scripts/wait_for_gatekeeper.sh")) }
+  service_account_key_file    = var.service_account_key_file
+  use_existing_context        = var.use_existing_context
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/wait_for_gatekeeper.sh ${var.project_id} ${var.cluster_name} ${var.location} ${local.append_arg_use_existing_context}"
   kubectl_destroy_command = ""
diff --git a/modules/k8s-operator-crd-support/variables.tf b/modules/k8s-operator-crd-support/variables.tf
index 508c885fe..7affe693d 100644
--- a/modules/k8s-operator-crd-support/variables.tf
+++ b/modules/k8s-operator-crd-support/variables.tf
@@ -162,3 +162,9 @@ variable "use_existing_context" {
   type        = bool
   default     = false
 }
+
+variable "impersonate_service_account" {
+  type        = string
+  description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
+  default     = ""
+}
diff --git a/modules/private-cluster-update-variant/dns.tf b/modules/private-cluster-update-variant/dns.tf
index 76a73f14e..3aafda726 100644
--- a/modules/private-cluster-update-variant/dns.tf
+++ b/modules/private-cluster-update-variant/dns.tf
@@ -20,14 +20,14 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version          = "~> 2.0.2"
-  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  cluster_name     = google_container_cluster.primary.name
-  cluster_location = google_container_cluster.primary.location
-  project_id       = var.project_id
-  upgrade          = var.gcloud_upgrade
-
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name                = google_container_cluster.primary.name
+  cluster_location            = google_container_cluster.primary.location
+  project_id                  = var.project_id
+  upgrade                     = var.gcloud_upgrade
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   kubectl_destroy_command = ""
diff --git a/modules/private-cluster/dns.tf b/modules/private-cluster/dns.tf
index 76a73f14e..3aafda726 100644
--- a/modules/private-cluster/dns.tf
+++ b/modules/private-cluster/dns.tf
@@ -20,14 +20,14 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version          = "~> 2.0.2"
-  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  cluster_name     = google_container_cluster.primary.name
-  cluster_location = google_container_cluster.primary.location
-  project_id       = var.project_id
-  upgrade          = var.gcloud_upgrade
-
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name                = google_container_cluster.primary.name
+  cluster_location            = google_container_cluster.primary.location
+  project_id                  = var.project_id
+  upgrade                     = var.gcloud_upgrade
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   kubectl_destroy_command = ""
diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md
index 5ecc56aff..e40dc0d05 100644
--- a/modules/workload-identity/README.md
+++ b/modules/workload-identity/README.md
@@ -72,6 +72,7 @@ module "my-app-workload-identity" {
 | annotate\_k8s\_sa | Annotate the kubernetes service account with 'iam.gke.io/gcp-service-account' annotation. Valid in cases when an existing SA is used. | `bool` | `true` | no |
 | automount\_service\_account\_token | Enable automatic mounting of the service account token | `bool` | `false` | no |
 | cluster\_name | Cluster name. Required if using existing KSA. | `string` | `""` | no |
+| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
 | k8s\_sa\_name | Name for the existing Kubernetes service account | `string` | `null` | no |
 | location | Cluster location (region if regional cluster, zone if zonal cluster). Required if using existing KSA. | `string` | `""` | no |
 | name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | `string` | n/a | yes |
diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
index 8deb6d7c6..bbd4c0775 100644
--- a/modules/workload-identity/main.tf
+++ b/modules/workload-identity/main.tf
@@ -47,13 +47,14 @@ resource "kubernetes_service_account" "main" {
 
 module "annotate-sa" {
   source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version = "~> 2.0.2"
+  version = "~> 2.1.0"
 
-  enabled          = var.use_existing_k8s_sa && var.annotate_k8s_sa
-  skip_download    = true
-  cluster_name     = var.cluster_name
-  cluster_location = var.location
-  project_id       = var.project_id
+  enabled                     = var.use_existing_k8s_sa && var.annotate_k8s_sa
+  skip_download               = true
+  cluster_name                = var.cluster_name
+  cluster_location            = var.location
+  project_id                  = var.project_id
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "kubectl annotate --overwrite sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}"
   kubectl_destroy_command = "kubectl annotate sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account-"
diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf
index d9b06b853..f903a61aa 100644
--- a/modules/workload-identity/variables.tf
+++ b/modules/workload-identity/variables.tf
@@ -71,3 +71,9 @@ variable "roles" {
   default     = []
   description = "(optional) A list of roles to be added to the created Service account"
 }
+
+variable "impersonate_service_account" {
+  type        = string
+  description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
+  default     = ""
+}