Home › GCP Associate Cloud Engineer › cloudcomputing › gcpsecurity › Workload Identity Federation lets external (non-…
Workload Identity Federation lets external (non-Google) identities (e.g. AWS IAM, GitHub Actions, OIDC providers) access Google Cloud APIs by:
ACopying the Google Cloud project's service-account JSON to the external system
BBypassing IAM entirely on Google Cloud
CReplacing Cloud KMS with the external identity's key store
DExchanging their external token for a short-lived Google access token via Security Token Service (STS), without minting a service-account key
Answer & Solution
Correct answer: D. Exchanging their external token for a short-lived Google access token via Security Token Service (STS), without minting a service-account key
WIF lets external workloads present their native token to Google's STS, which returns a Google access token (and optionally lets them impersonate a service account). The other answers describe key-sharing anti-patterns or unrelated services.
Related questions
Which IAM principle does Google Cloud recommend when granting a service account access to Which Google Cloud feature provides a centralised reverse proxy that verifies the user's iAn organisation wants to enforce that only signed and approved container images can be depAn auditor needs to determine which user deleted a Cloud Storage bucket in a project last Which approach gives a GKE workload SHORT-LIVED credentials to access Google APIs WITHOUT Which Google Cloud product stores secrets (API tokens, passwords, certificates) with versiWhich Google Cloud service centrally manages cryptographic keys (creation, rotation, destrService account impersonation lets a principal: