https://blog.pcioasis.com/tags/gcp/Recent content in Gcp on PCI Oasis BlogHugoen-usWed, 15 Apr 2026 00:00:00 +0000https://blog.pcioasis.com/posts/secure-devops/replacing-gcp-credentials-cicd-workload-identity/Wed, 15 Apr 2026 00:00:00 +0000https://blog.pcioasis.com/posts/secure-devops/replacing-gcp-credentials-cicd-workload-identity/<h1 id="replacing-static-gcp-credentials-in-cicd-with-workload-identity-federation">Replacing Static GCP Credentials in CI/CD with Workload Identity Federation</h1> <p><em>Part 1 of 2 — Concepts and Architecture</em></p> <p>If your GitHub Actions workflows authenticate to GCP using a stored secret — a service account key JSON, a <code>FIREBASE_TOKEN</code>, or any other long-lived credential — you have a static credential problem. It doesn&rsquo;t matter what format the credential is in. The issue is that it exists at rest, in GitHub, and was generated by a person who may no longer work there.</p>https://blog.pcioasis.com/posts/secure-devops/replacing-gcp-credentials-cicd-wif-setup/Wed, 15 Apr 2026 00:00:00 +0000https://blog.pcioasis.com/posts/secure-devops/replacing-gcp-credentials-cicd-wif-setup/<h1 id="setting-up-workload-identity-federation-an-agent-assisted-rollout">Setting Up Workload Identity Federation: An Agent-Assisted Rollout</h1> <p><em>Part 2 of 2 — Implementation</em></p> <p><a href="./2026-04-15-replacing-gcp-credentials-in-cicd-with-wif.md">Part 1</a> explained the concepts and the three decisions you need to make: where the WIF pool lives, whether to use branch or environment conditions, and who approves production deploys.</p> <p>This post walks through the actual rollout using an AI coding agent (Claude Code) to examine your existing infrastructure, propose a plan, and execute it step by step — with you reviewing and approving at every decision point. The agent handles the mechanical work. You make the security decisions.</p>