Comprehensive and Detailed Explanation From Exact Extract:
To adhere to the most secure way and Google-recommended practices, you must avoid the creation and handling of service account key files.
Option B (Impersonation): This method allows the currently logged-in user to temporarily assume the identity and permissions of the service account. It is keyless, meaning no long-lived secret is downloaded or stored on the local machine, drastically improving security. The gcloud config command sets this behavior for all subsequent gcloud commands in the session.
[Reference: Google Cloud Documentation - Best practices for using service accounts:, , "Avoid creating service account keys... Instead, use service account impersonation or workload identity federation.", Reference: Google Cloud Documentation - Service Account Impersonation (Overview):, , "With service account impersonation, a user or service can temporarily gain the permissions of a service account... [This] helps you to avoid creating and downloading a service account key.", ]
Submit