{"id":"wif-direct-access-preferred-over-impersonation","text":"Direct resource access (granting IAM roles directly to federated identities) is preferred over service account impersonation; impersonation requires `roles/iam.workloadIdentityUser`.","truth_value":"IN","source":"entries/2026/03/10/iam-workload-identity.md","source_url":"","source_hash":"382498753f9993ff","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"wif-direct-access-preferred-over-impersonation","truth_value":"IN","reason":"premise"}]}}