Workload Identity Federation

Introduction

• In general, you can authenticate using GCP’s service account key. However, if the service account key is leaked, it can immediately lead to a security incident. Therefore, the service account key has the following weaknesses. If a service account key is leaked, all applications using the service account key can have the same permissions with the service account key

• Reduces security risk because there is no key itself to manage and authenticates. The key has only a config file that does not contain any secret information.

• Issuing short lived tokens to external applications can minimize damage if tokens are leaked

References

How to access GCP securely from AWS with Workload Identity FederationMedium