The GSM connector's OIDC authentication configuration uses a single gcpProjectId field for two distinct purposes:

Constructing the Workload Identity Pool (WIP) path for authentication

Specifying which GCP project contains the Secret Manager secrets

This design prevents customers from using a centralized Workload Identity Pool in a separate GCP project from where their secrets are stored - a common enterprise security pattern where IAM infrastructure is managed centrally.

Business Impact

Customer Scenario:

Enterprise customer with centralized IAM management

IAM team controls all service accounts and WIPs from dedicated security/IAM GCP projects

Multiple application teams have secrets in their own GCP projects

Each team's Harness project needs to access secrets from their respective GCP project

Security governance model requires central control of identity infrastructure

Current Limitation:

Customer must create a separate WIP in each application GCP project, which:

Violates their security governance model (decentralized identity management)

Creates operational overhead (WIP per Harness project/team)

Prevents IAM team from maintaining centralized control