Pattern 1 Federated → Service Account
A CI runner arrives with no GCP credentials. Watch it acquire them through OIDC federation, then use them to impersonate a service account and make an authenticated API call — four steps, three identity contexts, one shared API endpoint.
Chain at a glance
OIDC JWT federated principal SA access token API response
What this page focuses on
Claim ↔ config matching
Which JWT claims drive which validation steps, and where mismatches reject the chain.
Trust translations
Three identity contexts in one chain, bridged by the IAM bindings between them.
Specificity tradeoffs
How tight to scope a principalSet — and what each
level costs in flexibility vs. security.
Failure modes
What gets rejected, where it happens, and what the actual error response looks like.