In this setup, the Workload Identity Pool has direct IAM permissions on Google Cloud resources; there are no intermediate service accounts or keys. This is preferred since it directly authenticates GitHub Actions to Google Cloud without a proxy resource. However, not all Google Cloud resources support principalSet identities. Please see the documentation for your Google Cloud service for more information.
TL;DR
As stated in the google-github-actions/auth documentation:
Detailed design
No response
Additional information
No response