From 90dc9c3ba6aa0a4d7c0c5bb4333504585c3cd82e Mon Sep 17 00:00:00 2001
From: Yash Sahu <54198301+yash30201@users.noreply.github.com>
Date: Tue, 28 Nov 2023 16:31:46 +0000
Subject: [PATCH] chore(docs): info for configuring workload identity
 federation (#495)

---
 README.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/README.md b/README.md
index 91f12b2db..87f6f6064 100644
--- a/README.md
+++ b/README.md
@@ -257,6 +257,18 @@ print_r((string) $response->getBody());
 
 [iap-proxy-header]: https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_proxy-authorization_header
 
+#### External credentials (Workload identity federation)
+
+Using workload identity federation, your application can access Google Cloud resources from Amazon Web Services (AWS),
+Microsoft Azure or any identity provider that supports OpenID Connect (OIDC).
+
+Traditionally, applications running outside Google Cloud have used service account keys to access Google Cloud
+resources. Using identity federation, you can allow your workload to impersonate a service account. This lets you access
+Google Cloud resources directly, eliminating the maintenance and security burden associated with service account keys.
+
+Follow the detailed instructions on how to
+[Configure Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds).
+
 #### Verifying JWTs
 
 If you are [using Google ID tokens to authenticate users][google-id-tokens], use