Skip to main content

How we removed all service account keys using Workload Identity Federation — and the attribute_condition trap nobody warns you about

  • July 1, 2026
  • 0 replies
  • 0 views

a_aleinikov
Forum|alt.badge.img+7

We've been migrating GCP workloads off long-lived SA keys to Workload Identity Federation. The process is straightforward, but there's one misconfiguration almost nobody covers:

Without an attribute_condition on the provider, you implicitly trust every public GitHub repository to exchange a token against your project. Any stranger can fork a workflow and impersonate your service account.

One line of config makes the difference:

--attribute-condition="assertion.repository_owner == 'your-org'"

Wrote up the full field guide - how the keyless token exchange works, GitHub Actions with zero secrets, the trap diagram, zero-downtime migration from existing keys, and the org policy that prevents keys from ever coming back:

https://www.alekseialeinikov.com/en/blog/topics/security/kill-service-account-keys-workload-identity-federation-2026

Happy to answer questions if anyone is in the middle of a similar migration.