Workflows provides several security features that you can use. This page describes some security best practices to keep in mind when using Workflows to avoid unintentionally exposing your resources to vulnerabilities.
Create a new service account and grant it only the Identity and Access Management (IAM) roles that contain the minimum permissions required by your workflow. You should not use the default service account since it is automatically granted the highly privileged Editor basic role which includes a large number of permissions.
Create your workflow using Terraform so that you can store your environment's configuration as code in a repository.
Use customer-managed encryption keys so that your workflow and associated data at rest are protected using an encryption key that only you can access.
Set up a service perimeter with VPC Service Controls to mitigate data exfiltration risks.
Use Secret Manager to secure and store sensitive data such as API keys, passwords, and certificates. You can use a Workflows connector to access Secret Manager within a workflow and simplify the integration for you.
Use Cloud Tasks to manage delivery rates and use Cloud Scheduler to execute workflows on a recurring schedule. By automating and parameterizing the deployment and execution of your workflows, you ensure that you can repeatedly and consistently run your services, and also eliminate inconsistencies between environments such as testing, staging, and production. Note that Workflows doesn't ensure exactly-once processing of duplicate requests from Cloud Tasks.