Practice free →
HomeGCP Associate Cloud Engineercloudcomputinggcpsecurity › Workload Identity Federation lets external (non-…

Workload Identity Federation lets external (non-Google) identities (e.g. AWS IAM, GitHub Actions, OIDC providers) access Google Cloud APIs by:

ACopying the Google Cloud project's service-account JSON to the external system
BBypassing IAM entirely on Google Cloud
CReplacing Cloud KMS with the external identity's key store
DExchanging their external token for a short-lived Google access token via Security Token Service (STS), without minting a service-account key
Answer & Solution
Correct answer: D. Exchanging their external token for a short-lived Google access token via Security Token Service (STS), without minting a service-account key
WIF lets external workloads present their native token to Google's STS, which returns a Google access token (and optionally lets them impersonate a service account). The other answers describe key-sharing anti-patterns or unrelated services.
Solve this in the app — GCP Associate Cloud Engineer practice & 24k+ MCQs →
Related questions