To minimize the usage of service account keys and implement Workload Identity Federation (WIF) with your on-premises identity provider, you can use a workload identity pool integrated with your corporate Active Directory Federation Service (ADFS). This setup allows your on-premises Windows-based applications to authenticate to Google Cloud APIs without using long-lived service account keys.

Set Up a Workload Identity Pool:

In the Google Cloud Console, go to IAM & Admin > Workload Identity Federation.

Create a new workload identity pool.

Configure the pool to trust your corporate ADFS by specifying the federation provider details.

Create a Workload Identity Provider:

Within the created pool, set up a new provider for ADFS.

Configure the provider with the necessary details such as the issuer URL and credentials.

Configure Impersonation Rules:

Set up rules to allow principals in the workload identity pool to impersonate specific Google Cloud service accounts.

This is done by specifying the identity provider and the conditions under which the service accounts can be impersonated.

Update Applications:

Modify your on-premises applications to use the configured ADFS authentication to obtain tokens.

These tokens can then be exchanged for Google Cloud access tokens to interact with Google Cloud APIs securely.

By setting up the workload identity pool and configuring impersonation rules, you achieve secure authentication without needing to distribute and manage service account keys.

Workload Identity Federation Documentation

Federating On-Premises Identities to Workload Identity Federation