Support GCP application default credentials (ADC)

[tennix]

Feature Request

Describe your feature request related problem:

BR cannot use GCP service account temporary token.

Describe the feature you'd like:

Support GCP application default credentials (ADC) as documented here https://cloud.google.com/docs/authentication/production

When running BR on GCP VM, we can grant permissions to VM service account, and BR can use GCP SDK to retrieve temporary credentials for the service account. This avoid static credentials which increase security.

Describe alternatives you've considered:

Teachability, Documentation, Adoption, Migration Strategy:

[kennytm]

@tennix this has to be assigned to all TiKV nodes too, right?

[tennix]

Yes, when deploying TiDB cluster on GCP, the node will have a service account, users can grant GCS permissions to the node's service account. No matter what service account of TiKV and BR uses, users just need to make sure the corresponding service account has the right permission. BR and TiKV can retrieve temporary credentials from GCP's meta service.

[kennytm]

Checking https://cloud.google.com/docs/authentication/production, looks like the Go part of BR already supports ADC (just don't pass the credentials-file), but the Rust part still expects a credentials blob. So it is mainly work on the Rust (TiKV) side.

[tennix]

Checking cloud.google.com/docs/authentication/production, looks like the Go part of BR already supports ADC (just don't pass the credentials-file), but the Rust part still expects a credentials blob. So it is mainly work on the Rust (TiKV) side.

Yes, exactly.

[kennytm]

We'll support this by the end of next sprint (likely through gcp_auth), but we need a GCP environment to verify it.