Support Workload Identity Federation for GCS without requiring explicit credentials in cube/cubestore Docker image #9837
Description
Describe the bug
The cube/cubestore Docker image currently requires either CUBESTORE_GCP_CREDENTIALS or CUBESTORE_GCP_KEY_FILE to be set when using CUBESTORE_GCS_BUCKET. This makes it impossible to use Workload Identity Federation (WIF) for authentication with GCS, which is the recommended approach in many Kubernetes-based and multi-cloud environments.
To Reproduce
Steps to reproduce the behavior:
- Deploy
cube/cubestorein a GCP-compliant environment using WIF (e.g., with a federated identity set up via GKE or another compliant setup). - Set only the
CUBESTORE_GCS_BUCKETenvironment variable. - Start the container.
- The application fails to authenticate with GCS due to missing
CUBESTORE_GCP_CREDENTIALSorCUBESTORE_GCP_KEY_FILE.
Expected behavior
cube/cubestore should allow authentication to GCS using the default application credentials provided by the GCP environment (i.e., WIF or ADC), without requiring explicit key files or inline credentials, as long as the environment is correctly configured.
Screenshots
N/A
Minimally reproducible Cube Schema
Not relevant for this issue, as it's Docker/environment related.
Version:
e.g. cube/cubestore:v1.3
Additional context
It would be great if the Docker image could support Workload Identity Federation by making CUBESTORE_GCP_CREDENTIALS and CUBESTORE_GCP_KEY_FILE optional when CUBESTORE_GCS_BUCKET is set. This would align with GCP best practices and improve security by avoiding service account key files.
A possible approach would be to rely on Google's ADC (Application Default Credentials) chain, which is compatible with Workload Identity.