Workload Identity Federation
Keyless CI and per-pod GKE identity.
The highest-leverage GCP identity upgrade is the same as everywhere: delete the long-lived keys. On GCP that means never downloading a service-account key, and instead letting external and in-cluster workloads exchange an attested identity for short-lived credentials.
Workload Identity Federation for external CI
Workload Identity Federation lets a workload outside GCP — GitHub Actions, GitLab, another cloud — present its native OIDC or SAML token to a workload identity pool, which exchanges it for short-lived GCP credentials with no key downloaded. You configure the pool with an attribute mapping and a condition that pins the token to a specific repository and ref, so a fork or another repo cannot obtain credentials. The result is the same as AWS OIDC federation: nothing static to leak, and access scoped to the real workload.
# A pool + provider that only trusts one repo, mapped by the token's claims.gcloud iam workload-identity-pools providers create-oidc gh \--workload-identity-pool=ci-pool --location=global \--issuer-uri="https://token.actions.githubusercontent.com" \--attribute-mapping="google.subject=assertion.sub,attribute.repo=assertion.repository" \--attribute-condition="assertion.repository=='acme/api'"# Let that federated identity impersonate a scoped deploy SA — no key file:gcloud iam service-accounts add-iam-policy-binding [email protected] \--role=roles/iam.workloadIdentityUser \--member="principalSet://iam.googleapis.com/projects/NUM/locations/global/workloadIdentityPools/ci-pool/attribute.repo/acme/api"
GKE Workload Identity for pods
Inside GKE, Workload Identity maps a Kubernetes service account to a Google service account, so each pod gets exactly the GCP access its workload needs instead of borrowing a broad node service account. A compromised pod then inherits only that one scoped identity, and there is no node key to steal. Bind the KSA to the GSA, annotate the KSA, and the metadata server delivers short-lived, auto-rotated credentials transparently.