Is there a recommended way to set up google application credentials using dagster-cloud? Some of our jobs and assets need to authenticate, but not all of the resources have a credentials argument (e.g. GCSResource). We’ve set up gcp credentials in a dagster environment variable, and our current solution is to decode the base64 credentials key and set the GOOGLE_APPLICATION_CREDENTIALS file and env variable manually, but this seems hacky.

Hi Josh - there are some recommendations here for how to do this: https://github.com/dagster-io/dagster/discussions/12183

Ah, awesome, that looks like a less hacky solution though, doing it at the entry point is cleaner than us re-creating the file for every usage.

have you looked into Workload identity?

Oh I haven't, will do

+1 for workload identify. It’s a bit confusing to setup the first time - you need to create a GCP Service Account, a K8s Service Account and kinda point them to each other. But after you set it up, all you need to do is to tell your Dagster pods to use this K8s Service Account.

gotcha, ok. I checked on the github issue originally linked and since we’re using dagster cloud, it implies the workload identity solution won’t work. Is this still the case?

That won't work in a Serverless deployment where we manage the execution plane, but would work in a Hybrid deployment

ah ok makes sense