Hi @samryanturner.  I've provided a link here related to using short-lived credentials with WIF.  If this is still not close to what you're looking for can you provide some more architectural details on how the scenario differs from the docs?  Thanks!

https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials

I can set it up in my lab and get a better understanding of the integration.  How would this minimize the use of service account keys though - you are still going to need one here.  

WIF should remove the requirement for keys -

"Optional

The client email address of your workload identity.

You can configure this parameter or the Service Account JSON File Content parameter.

To impersonate service accounts with the workload identity email address, grant the Service Account Token Creator role to your service account. For more details about workload identities and how to work with them, see Identities for workloads."

https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/gmail#integrate

WIF is normally for workloads authenticating from outside of GCP, documentation on setting up a pool for Workspace is non-existent from initial searches.

Hey, thanks.

This is for Workforce Identity Federation however. The docs state I should be able to use a Workload Identity Email address instead of a Service Account Key JSON file for the integration - https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/gmail#integrate

This medium blog has resolved my issues - https://medium.com/@mr.landovskiy/how-to-authenticate-to-google-cloud-integrations-using-workload-identity-dc9e5a5d2919