Feature Request: Support ADC (Application Default Credentials) for Google Cloud Storage #18
Description
Problem
Currently, GCS_CREDENTIALS (base64-encoded service account JSON) is required to use GCS storage. If not provided, initialization fails.
https://github.com/langgenius/dify-cloud-kit/blob/main/oss/gcsblob/gcs.go#L30-L35
credentials, err := base64.StdEncoding.DecodeString(credentialsB64)
if err != nil {
return nil, errors.New("credentials must be a base64 encoded string")
}
client, err := storage.NewClient(ctx, option.WithCredentialsJSON(credentials))Use Case
When running on GKE with Workload Identity or GCE with attached service accounts, ADC (Application Default Credentials) is the recommended authentication method. It eliminates the need to manage and rotate service account keys manually.
Proposed Solution
var client *storage.Client
if credentialsB64 == "" {
// Use ADC when credentials not provided
client, err = storage.NewClient(ctx)
if err != nil {
return nil, errors.New("failed to initialize GCS client: ADC unavailable and no credentials provided")
}
} else {
credentials, err := base64.StdEncoding.DecodeString(credentialsB64)
if err != nil {
return nil, errors.New("credentials must be a base64 encoded string")
}
client, err = storage.NewClient(ctx, option.WithCredentialsJSON(credentials))
}This allows:
- Existing behavior when
GCS_CREDENTIALSis set - ADC fallback when
GCS_CREDENTIALSis empty