Add Support for IAM and Workload Identity on GCS (#1568)

pglombardo · web-flow · commit 670943a5ccf5 · 2023-10-26T08:39:00.000+02:00
diff --git a/config/defaults/settings.yml b/config/defaults/settings.yml
@@ -462,6 +462,15 @@ files:
     credentials: ''
     # Environment Variable Override: PWP__FILES__GCS__BUCKET=''
     bucket: ''
+    #
+    # Optionally use IAM instead of the credentials when signing URLs.
+    # This is useful if you are authenticating your GKE applications with Workload Identity,
+    # See here: https://edgeguides.rubyonrails.org/active_storage_overview.html#google-cloud-storage-service
+    #
+    # Environment Variable Override: PWP__FILES__GCS__IAM=true
+    iam: false
+    # Environment Variable Override: PWP__FILES__GCS__GSA_EMAIL='email@domain.com'
+    gsa_email: null
 
   # Microsoft Azure Storage Credentials
   as:
diff --git a/config/settings.yml b/config/settings.yml
@@ -462,6 +462,15 @@ files:
     credentials: ''
     # Environment Variable Override: PWP__FILES__GCS__BUCKET=''
     bucket: ''
+    #
+    # Optionally use IAM instead of the credentials when signing URLs.
+    # This is useful if you are authenticating your GKE applications with Workload Identity,
+    # See here: https://edgeguides.rubyonrails.org/active_storage_overview.html#google-cloud-storage-service
+    #
+    # Environment Variable Override: PWP__FILES__GCS__IAM=true
+    iam: false
+    # Environment Variable Override: PWP__FILES__GCS__GSA_EMAIL='email@domain.com'
+    gsa_email: null
 
   # Microsoft Azure Storage Credentials
   as:
diff --git a/config/storage.yml b/config/storage.yml
@@ -19,6 +19,8 @@ google:
   project: <%= Settings.files.gcs.project %>
   credentials: <%= Settings.files.gcs.credentials %>
   bucket: <%= Settings.files.gcs.bucket %>
+  iam: <%= Settings.files.gcs.iam %>
+  gsa_email: <%= Settings.files.gcs.gsa_email%>
 
 microsoft:
   service: AzureStorage
