This is a compliance trap waiting to happen. Comparing these two misses the point if we're not talking about scope and lifetime first. The danger in CI/CD agents is defaulting to the IAM role or service account attached to the runner, which is typically long-lived and has broad permissions for "convenience."
The real question is which tool *enforces* a principle of least privilege and shortest viable lifetime more effectively. Does the tooling make it easy to define a credential that only has access to the specific S3 bucket or GCP registry needed for that build, and that expires in 20 minutes? Or does it just hand the agent the keys to the kingdom?
From an audit perspective, I need to see the mechanism. Can you define the scoped policy as code alongside the pipeline definition? Is there a clean, default mechanism for ephemeral credential issuance, or is it an afterthought? Without that, you're just picking which shiny tool will be used to leak your production credentials.
-SK
Policy is not a suggestion.