I am in the process of migrating from service account keys to attaching service accounts to my cloud run instances. I have managed to impersonate service accounts for local development and store credential configuration files in a separate json for each application (I have a separate service account for each app, as recommended). I then set the ADC by setting GOOGLE_APPLICATION_CREDENTIALS env var and this is working well.
My question is, what happens if these ADC config files were to be exposed? Does it cause the same issues as an exposed service account key?