You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Workload Identity Federation (WIF) allows external workloads — running on AWS, Azure, GitHub Actions, GitLab CI, or any OIDC/SAML-compliant identity provider — to access GCP resources without service account keys. This is one of the most important security features for multi-cloud and CI/CD pipelines.
Without WIF, external workloads must authenticate using service account keys (JSON files):
Traditional approach (AVOID):
1. Create GCP service account
2. Download JSON key file
3. Store key in GitHub Secrets / AWS Secrets Manager / etc.
4. Application uses key to authenticate to GCP
Problems:
- Key files can leak (git commits, logs, screenshots)
- Keys do not expire by default
- Difficult to rotate across many systems
- No fine-grained audit trail of who used the key
With WIF:
WIF approach (RECOMMENDED):
1. Create GCP service account
2. Create a workload identity pool and provider
3. Map external identity to GCP service account
4. External workload exchanges its native token for a GCP token
5. No key file exists — nothing to leak
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.