@Marvin We're using Prefect Cloud and running our flows on Cloud Run in GCP. Is there any way to authenticate Prefect Cloud with GCP without having to upload a Service account file or json object, for example through Workload Identity Federation?

Based on the information available, and since direct documentation excerpts regarding authenticating Prefect Cloud with Google Cloud Platform (GCP) without a Service Account file or using Workload Identity Federation weren't found, we can infer a standard approach that may guide you. Typically, integration with cloud services like GCP requires some form of credentials to authenticate and authorize requests. In cases like Kubernetes, Workload Identity allows pods to assume a GCP identity, meaning no service account keys need to be managed within your application code. For the use case with Prefect Cloud and Cloud Run, there are no direct excerpts for a method that avoids uploading service account credentials explicitly. However, with modern GCP authentication practices, one viable approach may be using Workload Identity Federation, which allows applications to access GCP resources securely. This would work by configuring a service account that Prefect Cloud would impersonate to interact with GCP. However, integrating Prefect Cloud with Workload Identity Federation is more nuanced and would require specific steps to enable GCP to trust an external identity provider (i.e., Prefect Cloud). To accomplish this, you may need to: 1. Configure a Workload Identity pool in GCP. 2. Establish trust between GCP and Prefect Cloud with an appropriate configuration that links your Prefect Cloud identity and GCP service accounts. 3. Configure your GCP resources to accept identities from the Workload Identity pool. Bear in mind, this is a generic approach and for a precise implementation, you would require guidance from Prefect's documentation or support on how to set this up with Prefect Cloud specifically. For a detailed answer that is more specific to Prefect Cloud, I suggest reaching out to Prefect support or consulting with someone who has experience with integrating Prefect Cloud with GCP in a secure, keyless fashion.

are you using a push work pool, or are you running a worker somewhere in GCP?

Push work pool

using a GCP credentials block with a service account is the only way that'll work at the moment

Thanks for the reply! Any plans to support Workload Identity Federation? 🙏

not that I'm aware of. if you don't want to store any gcp credentials in Prefect, you can use a hybrid work pool and have a worker running on GCP compute that has a service account assigned to it that has the required cloud run permissions