I have another question regarding authentication/authorization when using GCP (BigQuery) with GrowthBook: • Is it possible use something else than GCP Service Account key (user-generated key) for authentication/authorization. Implies: Workload Identity for GCP (https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) • If it’s not currently possible, is this something you would consider making an option in the future? This is for additional security and control over which services have access to the GCP project. Service Account keys don’t expire and it’s harder to reason about and know who has access to this key.

Yeah, I think we can support that pretty easily. If I understand correctly, it would just mean we don't pass credentials into the BigQuery client library and that should cause it to pull credentials from the metadata server instead.

Yes exactly, with Workload Identity it should be pulling temp credentials from the metadata server. And sounds good, our Infra team will be happy to hear this!

I just added this option in the latest docker build. You can now opt-in to use auto-discovery for credentials instead of uploading a JSON key file. Auto-discovery will look in environment variables and GCP metadata.

Wauw, that’s cool! Thank you, we’ll check it out 👍