Eliminating Google Cloud Service Account Keys Using Workload Identity Federation

Static Google Cloud service account JSON keys are one of the most persistent security liabilities in modern enterprise environments. They are long-lived, difficult to audit, frequently over-privileged, and notoriously easy to leak. In a Zero-Trust world, unmanaged static credentials are not just a risk — they are an architectural dead end.

💡 Enterprises with hundreds of legacy service account keys often underestimate the operational overhead until a security audit forces rotation.

For enterprises, transitioning to Workload Identity Federation (WIF) is no longer a best practice - it is a necessity. WIF replaces static secrets with short-lived, identity-based access aligned with Zero-Trust principles. When combined with executable-sourced credentials, it provides a practical path to eliminate service account keys entirely — without rewriting applications or re-engineering existing workflows.

Last Updated: Feb 9, 2026 (Originally Published: Jan 27, 2026) (15 ~ 20 min read time) Security Google Workload Identity Federation

Why This Still Breaks in Enterprises

Static service account keys are one of the last remaining hard-coded secrets in enterprise cloud environments. They are expensive to manage, painful to rotate, and fundamentally incompatible with modern security models. Many modern SaaS platforms now support Workload Identity Federation out of the box. However, large enterprises rarely operate exclusively in SaaS-only or cloud-native environments. There is often a long tail of internal workloads:

  • Batch jobs
  • Data synchronization pipelines
  • Operational scripts using gcloud
  • Legacy services running outside Google Cloud
  • Accessing GCP resources from on-premises or hybrid cloud environments
Historically, these workloads authenticated using static service account JSON key files injected at runtime.

⚠️ Even when organizations adopt WIF at the platform level, legacy pipelines remain an exception — and exceptions are where static credentials survive the longest.

This article describes a proven enterprise pattern for eliminating long-lived Google Cloud service account keys using Workload Identity Federation and executable-sourced credentials. Authentication is externalized, and Google Cloud handles token exchange, impersonation, and lifecycle management.

Identity-First Access: Workload Identity Federation in Practice

This architectural pattern and its practical implementation demonstrate how systems eliminate long-lived credentials by exchanging enterprise identity for Google Cloud access at runtime.

💡 No application code changes are required. Applications continue to use the same Google Cloud Auth libraries, while authentication becomes a platform-managed capability.

Execution Flow

A typical execution flow looks like this:
  1. Application or job starts
  2. Google Cloud Auth library invokes the configured executable
  3. Executable library authenticates with CyberArk or Vault
  4. Enterprise IdP issues a short-lived OIDC token
  5. Executable library outputs the token
  6. Google Cloud library exchanges the token via WIF
  7. Application or job receives a short-lived Google access token

Design Principles

Several design principles make this pattern scalable and safe:

  1. Single responsibility The executable does one thing: produce a valid external identity token.
  2. No embedded secrets The library relies on environment-level or host-level authentication to access enterprise systems.
  3. Language-agnostic interface Any language capable of invoking an executable can use this pattern.
  4. Central distribution The executable is published to an internal artifact repository and versioned like any other platform dependency.

✅ This allows security teams to review and harden authentication logic once, instead of auditing hundreds of applications.

Supporting Multiple Languages

In an ideal world,enterprises may use multiple langauges in their application stacks. Typically, they implement this library in multiple languages—Java, Go, Node.js, and Python—to support diverse application stacks. Each implementation adheres to the same contract:
  • identical command-line arguments
  • identical output format
  • consistent logging and error semantics

💡 Standardizing the interface matters more than standardizing the implementation language.

End to End Workload Identity Federation Execution Flow

The following diagram illustrates how this pattern works in practice:

Google Workload Identity Federation diagram with OIDC Impersonation

Prerequisites

Before implementing this pattern, a one-time configuration is required to establish mutual trust between Google Cloud and your Enterprise Identity Provider (IdP). This setup follows standard OIDC federation principles:

1. Identity Provider (IdP) Configuration

  • OIDC Application Registration: Register the authentication library as an OIDC client in your enterprise IdP.
  • Issuer URL: Identify the provider's issuer URL (the iss claim), which must be publicly accessible to serve the OIDC discovery document.
  • Allowed Audiences: Configure the IdP to issue tokens where the aud claim matches the Google Cloud Workload Identity Provider URI.

2. Google Cloud Configuration

  • Workload Identity Pool: Create a logical container for your external identities within your Google Cloud project.
  • Workload Identity Provider: Create an OIDC provider within the pool, linking it to your IdP's Issuer URL and Allowed Audiences.
  • Attribute Mapping: Map claims from the enterprise OIDC token (e.g., sub, email, groups) to Google Security Token Service (STS) attributes.
  • Attribute Conditions: Define CEL expressions to restrict which external identities can exchange tokens (e.g., google.subject.contains('prod-workload')).

✅ Once the provider is created, Google Cloud can cryptographically verify OIDC tokens signed by your IdP without requiring any static secrets or long-lived keys.

Phase 1: External Identity, Not Google Keys

The application never starts with a Google credential. It starts with its own identity, issued by an enterprise IdP. Steps 3 to 5 in the diagram.

Zero Trust Enforcement Inside the Library

One of the key success factors in this approach was enforcing Zero Trust principles directly inside the reusable authentication library, rather than relying solely on external controls. In practice, the library did not blindly fetch credentials. Instead, it applied explicit trust validation and policy checks before requesting or emitting any identity token.

💡 This ensured that possession of execution access alone was not sufficient to obtain credentials.

What Zero Trust Meant in Practice

Inside the library, Zero Trust was implemented by validating multiple signals before proceeding:

  • Execution context validation
    • The library verified that it was running in an expected environment (for example, specific hosts, namespaces, or workload identifiers).
  • Caller intent and scope checks
    • Requests for credentials were evaluated against allowed scopes, environments, and target service accounts.
  • Explicit trust boundaries
    • The library enforced which IdP, workload identity pool, and provider combinations were permitted — preventing misuse across environments.
  • Short-lived, least-privilege tokens
    • Tokens were always scoped, ephemeral, and tied to a single execution context.

⚠️ Without these checks, the executable becomes just another credential-fetching utility — which defeats the purpose of Zero Trust.

The Reusable Authentication Library Pattern

The core of this approach is a reusable authentication executable that acts as a bridge between enterprise identity systems and Google Cloud’s Workload Identity Federation. Rather than embedding authentication logic in every application, the enterprise implements a single, well-defined library whose only responsibility is to obtain a valid external identity token and present it in a format understood by Google Cloud’s authentication libraries.

💡 This shifts authentication from an application concern to a centrally governed platform capability.

Core Responsibilities of the Library

At a high level, the library is responsible for three things:

  1. Securely accessing enterprise credential systems The library authenticates with enterprise-managed systems such as CyberArk or HashiCorp Vault to retrieve the minimum credentials required to interact with the corporate Identity Provider (IdP).
  2. Minting or retrieving an OIDC token from the IdP Using the retrieved credentials, the library requests an OIDC-compliant identity token from the enterprise IdP. This token represents the workload’s identity, not a static secret.
  3. Emitting credentials in a Google-compatible format The token is written to STDOUT (or an output file) in the exact format expected by Google Cloud’s Auth libraries. From this point forward, Google Cloud handles token exchange, service account impersonation, and refresh.

The library emits a JSON object to STDOUT (or a specified file) containing the OIDC token and metadata. This is the exact format expected by Google Cloud’s authentication libraries. Here is the sample output: 


{
    "version":1,
    "success":true,
    "token_type":"urn:ietf:params:oauth:token-type:id_token",
    "id_token":"eyJraWQiOiJHb29nbGVXb3Jr...<OIDC_TOKEN>...",
    "expiration_time" :1770657620
}

Here is the sample executable-sourced.json that is used by the library to obtain the OIDC token:


{
    "universe_domain": "googleapis.com",
    "type": "external_account",
    "audience": "//iam.googleapis.com/projects/<gcp-numeric-id>/locations/global/workloadIdentityPools/<pool-id>/providers/<provider-id>",
    "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
    "token_url": "https://sts.googleapis.com/v1/token",
    "credential_source": {
        "executable": {
            "command": "-cp <path-to-jar/library> com.garvik.wif.GetOIDCToken",
            "timeout_millis": 30000
        }
    },
    "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<service-account-email>:generateAccessToken",
    "service_account_impersonation": {
        "token_lifetime_seconds": 3600
    }
}
GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES: In this approach via execuatble-sourced.json, the process is responsible for invoking the excuatble library it requires to set the environment variable GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to 1.

Phase 2: Token Exchange, Not Trust

Trust is never assumed — it is continuously verified. The application exchanges its enterprise token for a short-lived Google access token. Steps 4 to 5 in the diagram, lets break down the process.

The application/process uses the OIDC token obtained from the zero trust library to request a Google access token. This exchange is performed using the Google Cloud Client Library, which handles the token exchange process. The Google Cloud Client Library forwards the IdP token received in (5) to GCP’s Security Token Service (STS) (6). The Security Token Service (STS) evaluates the token (7-2) to verify the audience of the external identity token and the token issuer. The external identity token is signed with the external IdP’s private key. The corresponding public keys that are used in the validation process are accessible as each OIDC provider publishes the URI for accessing these keys (jwks_uri) in the /.well-known/openid-configuration document . With these public keys the STS verifies the token signature (7-1). STS returns a short lived (1 hr) federated GCP token (8).This step completes the federated identity exchange process.

Phase 3: Impersonation, Not Delegation

The application/process never uses its own identity to access Google Cloud. It impersonates a Google service account, which has the precise permissions required for the task. Steps 6 to 10 in the diagram.

The application/process uses the short-lived federated GCP token (8) to impersonate a Google service account present in the properties file service_account_impersonation_url. The federated GCP token is exchanged for a short-lived access token for the service account at step 9 & 10. With this access token, the application can access the Google Cloud resources that the service account has been granted access to.

Short-Lived Credentials, Not Long-Lived Secrets

Google access tokens are short-lived (1 hour by default and you can configure it to be different by customizing the property value SERVICE_ACCOUNT_TOKEN_LIFETIME). They are automatically refreshed, eliminating the need for manual rotation or key management.

Apply Least Privilege: Never give more permissions to a service account than what is required for its function. Use the IAM Recommender to prune unused permissions for service accounts, ensuring only the absolute minimum access required for their function.

Conclusion

Executable-sourced credentials provide a pragmatic, low-friction path for enterprises to eradicate static service account keys—especially in legacy or operational workflows that cannot be easily rewritten. Combined with Workload Identity Federation, they enable a true Zero-Trust model: identity-based, short-lived, auditable, and centrally governed.

This is not just a security improvement—it is a structural upgrade to how enterprises authenticate in the cloud.

Now that you understand the elimination of static service account keys

Explore our guide on developing a production-ready Stateful AI Agent application using Google AI SDK & Spring Boot.

Resources

For more information about Workload Identity Federation, see the following resources: