Is it possible to use GCP IAM workload identity in calls to downstreams like GCS and BigQuery? If there is a issue tracker for this sort of issue that would be great too.
Note on this - there is a "workaround" that avoids putting keys into retool confs: we are able to setup myRetool uses workload identity to get the GSM secrets, the GSM secret can be used to hold the myRetool's SA key and use that in GCS connection.
Did you have to anything special to get the GCS connection to reference the GSM secret? I have GSM setup and can reference it in other Resources but anything that needs a service account isn't able to reference secrets (at least autocomplete/syntax highlighting doesn't work so I'm assuming it can't reference it)