diff --git a/broker/client/reader.go b/broker/client/reader.go
index ea912d8d..f31ccbbc 100644
--- a/broker/client/reader.go
+++ b/broker/client/reader.go
@@ -3,6 +3,7 @@ package client
 import (
 	"bufio"
 	"context"
+	"encoding/json"
 	"crypto/tls"
 	"errors"
 	"fmt"
@@ -500,6 +501,11 @@ func (s *gcsBackend) open(ctx context.Context, ep *url.URL, fragment pb.Fragment
 	return gClient.Bucket(cfg.bucket).Object(cfg.rewritePath(cfg.prefix, fragment.ContentPath())).NewReader(ctx)
 }
 
+/ to help identify when JSON credentials are an external account used by workload identity
+ type credentialsFile struct {
+ 	Type string `json:"type"`
+ }
+
 func (s *gcsBackend) gcsClient(ep *url.URL) (cfg GSStoreConfig, client *storage.Client, err error) {
 	var conf *jwt.Config
 
@@ -522,7 +528,18 @@ func (s *gcsBackend) gcsClient(ep *url.URL) (cfg GSStoreConfig, client *storage.
 	creds, err := google.FindDefaultCredentials(ctx, storage.ScopeFullControl)
 	if err != nil {
 		return
-	} else if creds.JSON != nil {
+	}
+
+	// best effort to determine if JWT credentials are for external account
+	externalAccount := false
+	if creds.JSON != nil {
+		var f credentialsFile
+		if err := json.Unmarshal(creds.JSON, &f); err == nil {
+			externalAccount = f.Type == "external_account"
+		}
+	}
+
+	if creds.JSON != nil && !externalAccount {
 		conf, err = google.JWTConfigFromJSON(creds.JSON, storage.ScopeFullControl)
 		if err != nil {
 			return