Enhance authentication methods section for Google Cloud

platform-cloud/docs/compute-envs/google-cloud-batch.md

@@ -75,14 +75,20 @@ Ask your Google Cloud administrator to grant you the following IAM user permissi
 - Service Account User (`roles/iam.serviceAccountUser`) on the job's service account (default: Compute Engine service account)
 - View Service Accounts (`roles/iam.serviceAccountViewer`) on the project
 
-To configure a credential in Seqera, you must first create a [service account JSON key file][get-json]:
+#### Authentication methods
+
+Seqera supports two methods for authenticating with Google Cloud:
+
+**Service account keys**
+
+To authenticate using a service account key, create a [service account JSON key file](https://cloud.google.com/iam/docs/keys-list-get#get-key):
 
 1. In the Google Cloud navigation menu, select **IAM & Admin > Service Accounts**.
 2. Select the email address of the service account.
 
-    :::note
-    The Compute Engine default service account is not recommended for production environments due to its powerful permissions. To use a service account other than the Compute Engine default, specify the service account email address under **Advanced options** on the Seqera compute environment creation form.
-    :::
+   :::note
+   The Compute Engine default service account is not recommended for production environments due to its powerful permissions. To use a service account other than the Compute Engine default, specify the service account email address under **Advanced options** on the Seqera compute environment creation form.
+   :::
 
 3. Select **Keys > Add key > Create new key**.
 4. Select **JSON** as the key type.
@@ -92,6 +98,34 @@ A JSON file is downloaded to your computer. This file contains the credential ne
 
 You can manage your key from the **Service Accounts** page.
 
+**Workload Identity Federation**
+
+Workload Identity Federation (WIF) is the recommended authentication method for production and regulated environments because it eliminates the need for long-lived service account keys. WIF uses short-lived OIDC tokens for authentication, which are generated by Seqera Platform. 
+
+This requires the following steps in the GCP Console: 
+
+1. Create a [Workload Identity Pool and Provider](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers) in your Google Cloud project. 
+2. Set Seqera as an OIDC provider within the pool. Set the Issuer URL to `https://cloud.seqera.io/api`.
+3. Set the **Allowed audiences**. If left empty, GCP derives a default audience from the provider resource path in the format `//iam.googleapis.com/projects/{PROJECT}/locations/global/workloadIden
+  tityPools/{POOL}/providers/{PROVIDER}`. If you specify a custom value, it must match exactly what you enter in the Token audience field when creating the Google WIF credential in Seqera.
+4. Define an attribute mapping and condition. At a minimum set `google.subject=assertion.sub`. This maps the subject claim from Seqera's JWT to GCP's identity space. For more information see [here](https://docs.cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#mappings-and-conditions)
+5. Grant `roles/iam.workloadIdentityUser` on the service account that WIF will impersonate to the Workload Identity Pool principal. This can be set for all pool identities or for a specific workspace. If you have not yet created a service account do so following the guidelines above.
+
+After setting up WIF in the GCP Console, you need the following information to create a credential in Seqera Platform:
+
+1. **Service Account Email**: The email address of the Google Cloud service account that WIF will impersonate.
+2. **Workload Identity Provider**: The full resource path of the Workload Identity Provider (e.g., `projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID`).
+3. **Token Audience** (optional): The intended audience for the OIDC token. Configure this if your Workload Identity Provider requires a specific audience value. Ensure this matches what you have configured in the **Allowed Audiences** value in the GCP console.
+
+:::caution
+If WIF authentication fails at runtime, verify that:
+
+- The service account has the required roles (see [Service account permissions](#service-account-permissions))
+- The Workload Identity Pool principal has `roles/iam.workloadIdentityUser` on the service account
+- The Issuer URL configured in the WIF provider matches Platform's URL
+- The Token Audience in the credential (if set) matches the Allowed Audiences in the WIF provider
+:::
+
 ### Cloud Storage bucket
 
 Google Cloud Storage is a type of **object storage**. To access files and store the results for your pipelines, create a **Cloud bucket** that your Seqera service account can access.