//The problem
A video pipeline ran on AWS but needed Google's Veo 3.1, which lives on Vertex AI. The obvious path — mint a GCP service-account key and stash it in AWS — means a long-lived secret to rotate, audit, and leak. I wanted zero stored credentials crossing the cloud boundary.
//How WIF works
Workload Identity Federation lets GCP trust an external identity provider. The AWS task signs a request with its own IAM identity; GCP's STS verifies that signature and hands back a short-lived access token for a service account it's allowed to impersonate. No key ever exists — the AWS role is the credential.
# exchange the AWS identity for a short-lived GCP token creds = identity_pool.Credentials.from_info(wif_config) creds.refresh(Request()) # STS does the AWS→GCP exchange vertex = aiplatform.init(credentials=creds)
//The payoff
The Fargate task authenticates to Vertex AI on every run with a token that expires in an hour and is never written to disk. Nothing to rotate, nothing to leak, and the audit trail points straight back to the AWS role that made the call.