We've been migrating GCP workloads off long-lived SA keys to Workload Identity Federation. The process is straightforward, but there's one misconfiguration almost nobody covers:
Without an attribute_condition on the provider, you implicitly trust every public GitHub repository to exchange a token against your project. Any stranger can fork a workflow and impersonate your service account.
One line of config makes the difference:
--attribute-condition="assertion.repository_owner == 'your-org'"
Wrote up the full field guide - how the keyless token exchange works, GitHub Actions with zero secrets, the trap diagram, zero-downtime migration from existing keys, and the org policy that prevents keys from ever coming back:
https://www.alekseialeinikov.com/en/blog/topics/security/kill-service-account-keys-workload-identity-federation-2026
Happy to answer questions if anyone is in the middle of a similar migration.

