Feature Description
Replace the generation of long-lived, static user-managed Service Account keys with Workload Identity Federation or Service Account Impersonation.
Use Case
Long-lived, static credentials pose a massive security risk as they do not automatically expire and are highly susceptible to being leaked. This feature ensures secure, short-lived access.
Proposed Solution
Remove the google_service_account_key resource blocks from modules/iam-service-account/main.tf and modules/iam-service-account/iam.tf. Grant the necessary identities the roles/iam.serviceAccountTokenCreator role to allow temporary impersonation instead of exporting physical key files.
Compliance & Deployment Context
- Target Deployment Type(s):
Reusability Check
Stellar Engine prioritizes reusability.
Alternatives Considered
Continuing to use JSON key files, which triggers automatic API rejections via Organization Policies in Assured Workloads environments.
Additional Context
N/A
Feature Description
Replace the generation of long-lived, static user-managed Service Account keys with Workload Identity Federation or Service Account Impersonation.
Use Case
Long-lived, static credentials pose a massive security risk as they do not automatically expire and are highly susceptible to being leaked. This feature ensures secure, short-lived access.
Proposed Solution
Remove the
google_service_account_keyresource blocks frommodules/iam-service-account/main.tfandmodules/iam-service-account/iam.tf. Grant the necessary identities theroles/iam.serviceAccountTokenCreatorrole to allow temporary impersonation instead of exporting physical key files.Compliance & Deployment Context
Reusability Check
Stellar Engine prioritizes reusability.
Alternatives Considered
Continuing to use JSON key files, which triggers automatic API rejections via Organization Policies in Assured Workloads environments.
Additional Context
N/A