Hello, in the process of deploying on GKE it seems there's not really a way to deploy it using workload identity, you have to specify a service account json file to load as secret. Is there a limitation that would prevent us to just use the loaded service account ?

You mean the default service account on the GKE nodes?

yes

or rather you know you can define the serviceAccountName to use for the pod

which is the foundation for using authentication using workload identity

hey oliver, sorry for the late reply, was looking into this

we don’t support configuring this today

I can guide you through it if you are interested in contributing

otherwise can you open an issue?

I'd be interested in contributing

I think the main point is the check in the config to "relax"

great!

check in which config?

let me find back the point

found it, so there's this part that failed https://github.com/airbytehq/airbyte/blob/master/airbyte-config/models/src/main/java/io/airbyte/config/helpers/CloudLogs.java

because of the check on isBlank for google application credentials

by default it should work out of the box

in the validate part we could try a GoogleCredentials.getApplicationDefault()

it would fail using a IOException that we can catch fail the checkArgument

or we could just relax this check and "go with the flow"

it will fail when trying to initiate the storage connection

what do you think ?

I haven’t done this myself so my understanding might be wrong - from the docs it looks like it should be adding the

serviceAccountName

annotation on the core Airbyte deployment yamls

since Airbyte spins up pods dynamically to serve jobs, we then have to inject this annotation into the pods that are created