The idea is:
We are Google Cloud users and our company uses the Workforce Identity Pool for our local development. Furthermore, when deploying, we normally choose GKE. Many google APIs support a notion of Application Default Credential (ADC) which can work by either honoring and using the $GOOGLE_APPLICATION_CREDENTIALS or by using the metadata service.
The documentation and the UI seem only to support OAuth or Service Account with a private key download, both of which are strictly disallowed in any of our GCP consoles by policy.
Please add the facility to choose the ADC as a credential when connecting and possibly write up that you might run the docker something like to mount the HOME dir and expose the environment var to the docker processes.
[scr@MacBook-Pro-3]$ docker run -e GOOGLE_APPLICATION_CREDENTIALS=$GOOGLE_APPLICATION_CREDENTIALS -v $HOME:$HOME:ro -it --rm --name n8n -p 5678:5678 -v n8n_data:/home/node/.n8n docker.n8n.io/n8nio/n8n
My use case:
- Local development with GOOGLE_APPLICATION_CREDENTIALS env var files fetched by our login and workforce identity pool tools
- GKE without any service account connection because workers will have that through the metadata service.
I think it would be beneficial to add this because:
Gaining credentials automatically by the well-worn ADC facilities can be easier and safer than downloading private keys for service accounts and possible for users of Workforce Identity Pools, which do not have any credentials as mere Cloud Identity users.
Any resources to support this?
As a new user, I am restricted from adding any more links
Are you willing to work on this?
Yes, but today is the first time I’ve come into contact with this codebase; I was trying to help another developer get credentials and noticed these shortcomings.