The usual approach to consume cloud services from Kubernetes is to create a service account with the appropriate permissions, generate a key, store that key in some secure location, create a secret with that key during deployment, and mount it into a pod for the workload to consume. The biggest downsides in this scenario, are twofold: Where do we store the key securely? How to implement a key rotation policy? Kubernetes: Workload Identity full article