Hello,
Self Hosted Retool does not see to have workload IAM for connecting to BigQuery
Per https:/docs.retool.com/data-sources/quickstarts/database/bigquery
But it does have it for connecting to Google Secrets Manager (GSM)
Per Retrieve secrets from GCP Secrets Manager | Retool Docs
Is it possible to use GCP IAM workload identity in calls to downstreams like GCS and BigQuery? If there is a issue tracker for this sort of issue that would be great too.
Thanks
Note on this - there is a "workaround" that avoids putting keys into retool confs: we are able to setup myRetool uses workload identity to get the GSM secrets, the GSM secret can be used to hold the myRetool's SA key and use that in GCS connection.
Did you have to anything special to get the GCS connection to reference the GSM secret? I have GSM setup and can reference it in other Resources but anything that needs a service account isn't able to reference secrets (at least autocomplete/syntax highlighting doesn't work so I'm assuming it can't reference it)
for the credentials block the entire contents is
{{ secrets.my-sa-key }}
It does not highlight green