This is a way for GCP to authenticate external workloads (e.g. GitHub actions) without needing to pass credentials. It allows you to explicitly say things like “repository at org/repo
is allowed to become service account foo
”.
There is a “pool” per environment. Each pool has one or more “providers” who are the external-workload to identity mappers. You might have one for GitHub, another for Discord, etc. However you’re doing mappings.