Default Credentials — uses the host environment's ADC.
Workload Identity Federation ⭐ (recommended) — Project Id,
Provider, Service Account Email. No JSON keys.
Impersonated Service Account — delegate from a source identity to a
target service account.
Permissions checklist
The invoking identity must hold Cloud Functions Invoker
(roles/cloudfunctions.invoker) on the function (Gen 1) or Cloud Run
Invoker (roles/run.invoker) on the underlying Cloud Run service
(Gen 2).
For Workload Identity Federation configure the Pool/Provider trust to
match the Polysync host identity.