Previously on Google Cloud, CI CD pipelines with external tools like Github Actions or Gitlab CI, needed to have a Service Account token key to be authenticated on Google Cloud.

The use of a long lived SA token key represents a security risk, because we need to rotate and manage them.

The best practice is to prevent the use of token keys.

It's possible today to tend to this best practice with external tools, using keyless authentication and Workload Identity Federation.

Behind the scenes, Workload Identity Federation uses Open ID Connect.

We will illustrate this practice with a real world use case using Github Actions and Gitlab CI installed on a GKE cluster.