https://www.growthbook.io/ logo
a

adamant-exabyte-53836

05/04/2022, 11:53 AM
I have another question regarding authentication/authorization when using GCP (BigQuery) with GrowthBook: • Is it possible use something else than GCP Service Account key (user-generated key) for authentication/authorization. Implies: Workload Identity for GCP (https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) • If it’s not currently possible, is this something you would consider making an option in the future? This is for additional security and control over which services have access to the GCP project. Service Account keys don’t expire and it’s harder to reason about and know who has access to this key.
f

future-teacher-7046

05/04/2022, 12:09 PM
Yeah, I think we can support that pretty easily. If I understand correctly, it would just mean we don't pass credentials into the BigQuery client library and that should cause it to pull credentials from the metadata server instead.
a

adamant-exabyte-53836

05/04/2022, 12:46 PM
Yes exactly, with Workload Identity it should be pulling temp credentials from the metadata server. And sounds good, our Infra team will be happy to hear this!
f

future-teacher-7046

05/05/2022, 12:32 PM
I just added this option in the latest docker build. You can now opt-in to use auto-discovery for credentials instead of uploading a JSON key file. Auto-discovery will look in environment variables and GCP metadata.
a

adamant-exabyte-53836

05/05/2022, 2:52 PM
Wauw, that’s cool! Thank you, we’ll check it out 👍