Networking, Identity & Private Connectivity

Workload Identity Federation for Non-GKE Workloads Calling Claude on Vertex AI

Your app runs on AWS, or in GitHub Actions, and needs to call Claude on Vertex AI. The tempting shortcut is exporting a service account key file. Google's own docs call that a security risk — and provide the keyless alternative.

Claude 3P 101 · Updated July 2026 · Unofficial guide

Claude on Vertex AI authenticates with Google Cloud credentials — the AnthropicVertex client picks up Application Default Credentials, and production workloads normally run as service accounts granted roles/aiplatform.user. That's straightforward when the workload lives on Google Cloud. It gets awkward when it doesn't: a backend on AWS, a CI pipeline in GitHub Actions or GitLab, a job in a non-GKE Kubernetes cluster, or anything behind Okta, Active Directory, or another identity provider.

The historical answer was to export a service account key — a long-lived JSON credential file — and ship it to the external environment. Google's documentation is blunt about why that's a problem: exported keys are a security risk if mismanaged. They don't expire, they leak into repositories and CI variables, and revoking them is a manual scramble. Workload Identity Federation (WIF) exists to eliminate them.

How the exchange works

WIF lets workloads outside Google Cloud — Google's docs list AWS, Azure, GitHub, GitLab, Kubernetes, Okta, Active Directory, and any OIDC or SAML 2.0 provider — obtain short-lived Google Cloud credentials via token exchange with the Security Token Service (STS). The workload proves its identity with a token from its own environment (an OIDC token, which is a signed identity assertion from a standards-compliant identity provider), and Google's STS trades it for a temporary Google credential. No Google secret is ever stored in the external environment; trust is established by configuration, not by a copied key.

The three building blocks

WIF is organized into a small hierarchy:

ResourceWhat it representsPractical guidance
Workload identity poolA container for external identitiesOne pool per external environment (e.g. one for AWS, one for CI)
Pool providerThe trust relationship to one IdPPoints at your OIDC/SAML issuer — AWS, GitHub, GitLab, Okta, etc.
Attribute mappings & conditionsWhich external identities may authenticate, and as whatMap token claims (repo name, role ARN, subject) and restrict tightly

Access is then granted in one of two documented ways: directly to the external identities (IAM bindings on the federated principals themselves) or through service account impersonation, where federated identities are allowed to act as a designated service account. Either way, the attribute mappings and conditions are your blast-radius control — for a GitHub Actions provider, for instance, conditions on the mapped repository claim ensure that only your deployment repo, not any repository presenting a GitHub token, can authenticate.

Wiring it to Claude specifically

Nothing about the Claude side changes. Whatever principal your federated workload ultimately acts as — the mapped external identity or the impersonated service account — needs the same IAM as any other Vertex AI caller: the aiplatform.endpoints.predict permission, included in roles/aiplatform.user (Vertex AI User). Model enablement in Model Garden remains a separate, one-time admin task requiring roles/consumerprocurement.entitlementManager — see the two-roles article.

Your application code doesn't change either. WIF plugs into Application Default Credentials via a credential configuration file (generated when you set up the provider), so the standard client works as-is once the environment is configured:

from anthropic import AnthropicVertex

# ADC resolves the WIF credential configuration automatically
client = AnthropicVertex(project_id="my-project", region="us-east5")

message = client.messages.create(
    model="claude-opus-4-8",
    max_tokens=1024,
    messages=[{"role": "user", "content": "Hello from AWS"}],
)

Why security teams prefer this, in audit terms

Worth knowing: Anthropic offers a conceptually similar workload identity federation for its first-party API — short-lived OIDC-based tokens instead of long-lived API keys. If you standardize on keyless auth, you can apply the pattern on both 1P and Vertex; see Anthropic's WIF article.

Where to go next

Start with the ADC auth guide if your workloads are still on Google Cloud, and least privilege for scoping what a federated identity may do once inside.

Sources