diff --git a/README.md b/README.md
index f505bd6..7ccba55 100644
--- a/README.md
+++ b/README.md
@@ -199,8 +199,16 @@ Namespace is already created in step 1 above.
     ```bash
     gcloud iam service-accounts add-iam-policy-binding \
         --role roles/iam.workloadIdentityUser \
-        --member "serviceAccount:[$PROJECT_ID].svc.id.goog[$NAMESPACE/$KSA_NAME]" \
-        [$GSA_NAME]@[$PROJECT_ID].iam.gserviceaccount.com
+        --member "serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/$KSA_NAME]" \
+        $GSA_NAME@$PROJECT_ID.iam.gserviceaccount.com
+    ```
+
+4. Add annotation to Kubernetes Service Account
+
+    ```bash
+    kubectl annotate serviceaccount $KSA_NAME \
+        --namespace $NAMESPACE \
+        iam.gke.io/gcp-service-account=$GSA_NAME@$PROJECT_ID.iam.gserviceaccount.com
     ```
 
 In this case:
diff --git a/changelogs/unreleased/194-rvandernoort b/changelogs/unreleased/194-rvandernoort
new file mode 100644
index 0000000..d93ff64
--- /dev/null
+++ b/changelogs/unreleased/194-rvandernoort
@@ -0,0 +1 @@
+update README GKE Workload Identity instructions
\ No newline at end of file