Static service account keys in CI/CD are not a convenience anymore. They are a liability.

In Google Cloud, the stronger path is clear: replace long-lived JSON keys in GitHub Actions, GitLab, and Terraform with Workload Identity Federation, short-lived tokens, and tightly scoped impersonation. Fewer secrets, smaller blast radius, better control.

https://medium.com/@aleksei.aleinikov.gr/how-to-remove-service-account-keys-from-github-actions-gitlab-and-terraform-in-google-cloud-in-a88cea0ed304