In Google Cloud Platform (GCP), Service Account (SA) and Workload Identity Provider (WIP) are used for authentication and access control.
This guide explains their differences, use cases, and best practices.
What are SERVICE ACCOUNT and WORKLOAD IDENTITY PROVIDER in GCP?
In Google Cloud Platform (GCP), Service Account (SA) and Workload Identity Provider (WIP) are used for authentication and access control.
This guide explains their differences, use cases, and best practices.
1. What is a Service Account (SA)?
A Service Account (SA) is a special type of Google Cloud account used by applications, VMs, and other GCP resources to authenticate and interact with GCP APIs.
It allows non-human users (applications, services) to access GCP resources securely.
Key Features
- Used for authentication within GCP resources (Compute Engine, Cloud Run, Cloud Functions, etc.).
- Permissions managed via IAM (Identity and Access Management).
- Uses JSON key files for authentication from external systems.
- Can be assigned to workloads like Cloud Run, GKE, and Compute Engine.
Example Use Cases
① Cloud Run accessing Cloud Storage
gcloud iam service-accounts create my-service-account \
--display-name "My Service Account"gcloud projects add-iam-policy-binding my-project \
--member="serviceAccount:my-service-account@my-project.iam.gserviceaccount.com" \
--role="roles/storage.admin"Once assigned to Cloud Run, it can access Cloud Storage securely.
② Authenticate from a local environment or external application
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-key.json"
gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALSThis allows external applications to authenticate with GCP services.
2. What is a Workload Identity Provider (WIP)?
Workload Identity Provider (WIP) is a mechanism that allows external systems (e.g., AWS, GitHub Actions, Kubernetes, other clouds) to securely authenticate and access GCP resources without using service account keys.
Traditionally, service account JSON key files were required to authenticate, but sharing keys poses security risks.
Workload Identity Provider eliminates this risk by using federated authentication (OIDC or SAML).
Key Features
- Maps external identities (AWS IAM, GitHub Actions, OIDC providers) to GCP IAM roles.
- Removes the need for JSON key files.
- Uses OIDC (OpenID Connect) or SAML for authentication.
- Short-lived tokens improve security.
- Commonly used with GKE (Google Kubernetes Engine) to access GCP APIs.
Example Use Cases
① GitHub Actions deploying to GCP
- Create a Workload Identity Provider in GCP
gcloud iam workload-identity-pools create "github-pool" \
--location="global" \
--display-name="GitHub Workload Identity Pool"- Map GitHub’s identity to GCP IAM
gcloud iam service-accounts add-iam-policy-binding \
my-service-account@my-project.iam.gserviceaccount.com \
--role="roles/storage.admin" \
--member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool/attribute.repository/OWNER/REPO"- Use GitHub Actions to authenticate
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Authenticate with GCP
run: |
gcloud auth login --cred-file=/path/to/workload-identity.jsonWith this setup, GitHub Actions can securely deploy to GCP without storing service account keys.
Difference Between Service Account and Workload Identity Provider
| Comparison | Service Account (SA) | Workload Identity Provider (WIP) |
|---|---|---|
| Purpose | Authentication for internal GCP resources | Authentication for external identities (AWS, GitHub, etc.) |
| Authentication Method | Uses JSON key files | Uses OIDC / SAML (no key files needed) |
| Common Use Cases | Cloud Run, Compute Engine, GKE | AWS, GitHub Actions, external Kubernetes |
| Security | Risk of key file leakage | Short-lived token-based authentication (more secure) |
| Management Complexity | Requires manual key management | Uses identity federation, no key management needed |
When to Use Each?
| Scenario | Recommended Authentication Method |
| GCP-internal authentication (Cloud Run, GKE, etc.) | Service Account |
| Local development or CI/CD accessing GCP | Service Account (via JSON key file) |
| GitHub Actions deploying to GCP | Workload Identity Provider |
| AWS (IAM) or other clouds accessing GCP | Workload Identity Provider |
Summary
Service Account (SA)→ Used for authentication within GCP (Cloud Run, GKE, Compute Engine).Workload Identity Provider (WIP)→ Used to authenticate external identities (GitHub, AWS, external Kubernetes) to GCP securely.- WIP eliminates the need for service account keys, improving security.
If you are working within GCP, use Service Account. If accessing GCP from an external system, use Workload Identity Provider!