Feature: Support workload identity federation

[walterjking]

Currently the options for authenticating are provide a private key, or use gce metadata. We'd like to remove all instances of private keys for security reasons, and https://cloud.google.com/iam/docs/workload-identities is the way to do this.

If you select GCE metadata, i believe it will actually pull from the environment the credentials file and be able to use any workload identity configured in that file, but that grants grafana one identity. We have situations where we need different datasources to have different identities so this does not solve our problem.

What we would actually want is a way to pass in a configuration file to the datasource, and have that datasource use the configuration passed in.

[enricojonas]

Totally agree, we need another option. Most Grafana instances are shared between teams that use different projects so GCE metadata is not an option. Service account keys are insecure to handle. OIDC token / WIF would be the preferred option, just as Github Action has implemented it towards GCP.

Similar to Github Actions we could then configure a workload identity provider that does an assertion on the Grafana ORG where the request comes from.