An organization wants to grant a CI/CD pipeline (running on GitHub Actions) access to deploy resources in a GCP project without storing long-lived service account keys. Which approach is recommended?
Workload Identity Federation allows keyless authentication from external IdPs.
Why this answer
Workload Identity Federation allows binding an external identity provider (like GitHub Actions) to a GCP service account. The GitHub Actions workflow can exchange a GitHub OIDC token for a GCP access token, no static keys needed.