Currently, connecting Retool to GCP services like Google Drive requires either a service account JSON key or OAuth 2.0 (which ties to a human identity). Both have significant downsides: keys are long-lived secrets that need manual rotation, and OAuth shared credentials break if the authorizing user leaves.
GCP Workload Identity Federation lets external platforms authenticate using short-lived OIDC tokens with zero stored secrets. GitHub Actions, GKE, and most major CI/CD platforms already support this. Adding WIF support for Retool resource authentication would eliminate key management entirely and align with zero-trust security practices.
Ideal implementation: when configuring a GCP resource in Retool, allow specifying a Workload Identity Pool + Provider instead of a key file, so Retool presents its own OIDC token to GCP and receives short-lived access tokens automatically.