In Google Cloud, the stronger path is clear: replace long-lived JSON keys in GitHub Actions, GitLab, and Terraform with Workload Identity Federation, short-lived tokens, and tightly scoped impersonation. Fewer secrets, smaller blast radius, better control.

https://medium.com/@aleksei.aleinikov.gr/how-to-remove-service-account-keys-from-github-actions-gitlab-and-terraform-in-google-cloud-in-a88cea0ed304