Credentials from GCP service account initial setup - running Terraform from Gitlab to automate CI/CD inside GCP

Hi all - I’m starting to setup the bones for a GCP based project. We’ll be running our pipeline with a Gitlab repository backend - pushing to a GCP project and letting the runners automate off the GCP bucket/project we’re pushing them too.

So far we have a GCP service account to use (albeit may need permissions adjusted) and a cloud storage bucket set up to push a project into via terraform/see if we can get a terraform yml to push to it.

Obviously I don’t want to pull the actual hard json credentials of the GCP service account we’re using - which leaves me some questions for the actual validation.

I’m using the GCP CFT Project Factory module to create a project internal to our bucket - but what would be the best practices to tell Gitlab to use the GCP service account without creating a hard JSON? Where should this authentification be stored (Yml/other tf file?)

Thanks for any input/advice