Hello Ryan. Great article. We are in war in our company to limit the service account key files (org policy applied and we set up a servicenow workflow to request keys with the reason. I'm in charge of validating these tickets. When I validate, a Cloud Functions is triggered, the policy deactivated, the service account key file generated and the policy reactivated. And the service account key file is stored in secret manager).
However, a lot of video and tutorial on Google Cloud documentation required a service account key file to achieve them. Bad example and first bad habit when we start in Google Cloud. I already contacted Priyanka Vergadia about this.
Anyway, I have a last remark/feedback. You explain how to do this with gcloud command. Ok, but when you code locally and you don't want to implement a hook in your local dev to impersonate a service account. You want to test the same code on your computer and this one deployed on the cloud. So now, how can you do this?
Ok, you can use your own credential (gcloud auth application-default login), and in the code, the application default credential. I agree it works....
EXCEPT for Cloud Run and Cloud Function deployed privately: you can't generate an identity token based on your user credential. In this case, it's mandatory to have a service account key file.
Do you know if it's planned to improve this? It's a real security nightmare to manage this in my organisation!
Best
