I've seen a few ways of solving this depending on the implementation of your pipeline. If you're running either Cloud Build or a self-hosted pipeline (Jenkins, Spinnaker, etc) in Google Cloud you can just bind the service account to the compute resources running your pipeline and you don't need a key. If you're outside GCP, you could use HashiCorp Vault to generate short lived service account keys that expire after a pre-determined TTL. Vault gives you more options for servers to authenticate securely such as AWS, Azure, etc. So TL;DR if you're inside GCP at all, don't download keys. If you're outside GCP, use a credential proxy like HashiCorp Vault. Hope this helps! :)