I have a Firebase cloud function that needs to use the Firebase Admin SDK service account for authentication. By default, Firebase cloud functions use Google Cloud's default compute service account, which doesn't have the necessary permissions. And I can't find a way to change that behavior within GC. What is the best practice here?
The documentation tells you what Workload Identity Platform is used for:
Using Workload Identity Federation, you can provide on-premises or multicloud workloads with access to Google Cloud resources by using federated identities instead of a service account key.
Also:
Traditionally, applications running outside Google Cloud can use service account keys to access Google Cloud resources. However, service account keys are powerful credentials, and can present a security risk if they are not managed correctly. Workload Identity Federation eliminates the maintenance and security burden associated with service account keys.
If this isn't what you need (multicloud part access and security risk mitigation), then there is little need to use Workload Identity Federation. It's just up to you to manage your service accounts in a way that meets your particular security needs.
Without knowing your specific needs on these points, there is not really a "best practice" to follow - do what makes sense for your product's requirements.