Service accounts & Workload Identity Federation: a practical cleanup

Most incidents we see involve over‑privileged service accounts and leaked keys. Here’s how to adopt WIF and reduce blast radius.

Inventory & risk rank

List all service accounts and keys; sort by age, permissions and usage. Identify user‑managed keys older than 90 days.

For CI and external workloads, use Workload Identity Federation. Map external identities to GCP service accounts without storing keys.

Replace Owner/Editor with minimal roles. Create custom roles only for stable, narrow privileges.

Create a human break‑glass account with strong MFA and alerting for use. Document when and how it can be used, with approvals.

Schedule quarterly reviews of roles and keys. Automate alerts for new key creation and excessive permissions.

This article is for engineering guidance. It is not legal advice.