Skip to content

feat: add gcp-cloud-run-invoke compute provider with OIDC#49

Draft
brucearctor wants to merge 1 commit into
temporalio:mainfrom
azra-ai-oss:feature/gcp-cloud-run-invoke
Draft

feat: add gcp-cloud-run-invoke compute provider with OIDC#49
brucearctor wants to merge 1 commit into
temporalio:mainfrom
azra-ai-oss:feature/gcp-cloud-run-invoke

Conversation

@brucearctor
Copy link
Copy Markdown

@brucearctor brucearctor commented May 5, 2026

Summary

Adds a new gcp-cloud-run-invoke compute provider that uses LaunchStrategyInvoke to trigger Cloud Run services via HTTP POST with OIDC identity tokens. This is the GCP analog to the existing aws-lambda provider.

Authentication

Supports two authentication modes:

  • Workload Identity (default): When no service_account is configured, uses idtoken.NewTokenSource which transparently leverages the host's default credentials (GKE Workload Identity, attached SA on Compute Engine/Cloud Run).
  • SA Impersonation: When a service_account is configured, uses impersonate.IDTokenSource with the intermediary delegate chain for cross-project or Temporal Cloud scenarios.

Both paths produce OIDC identity tokens with the Cloud Run service URL as the audience, which is what Cloud Run's IAM invoker check requires.

Relationship to existing gcp-cloud-run provider

The existing gcp-cloud-run provider uses LaunchStrategyWorkerSet to manage Cloud Run WorkerPool instance counts. This new provider complements it by enabling per-task invocation semantics, similar to how aws-lambda works.

Config

provider_type: gcp-cloud-run-invoke
# Config details (passed as Payload):
# url: https://my-worker-abc123-uc.a.run.app   (required)
# service_account: invoker@proj.iam.gserviceaccount.com  (optional, omit for Workload Identity)

@brucearctor
feat: add gcp-cloud-run-invoke compute provider with OIDC
b1bbb8f 
Adds a new compute provider that uses LaunchStrategyInvoke to trigger
Cloud Run services via HTTP POST with OIDC identity tokens.

Supports two authentication modes:
- Workload Identity (default): uses idtoken.NewTokenSource for environments
  with attached service accounts (GKE, Compute Engine, Cloud Run)
- SA Impersonation: uses impersonate.IDTokenSource with the intermediary
  delegate chain for cross-project or Temporal Cloud scenarios

The existing gcp-cloud-run provider uses LaunchStrategyWorkerSet to scale
WorkerPools. This new provider complements it by enabling per-task
invocation, analogous to how aws-lambda works.
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented May 5, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@brucearctor
Copy link
Copy Markdown
Author

brucearctor commented May 5, 2026

Still a work in progress ... but again, sketch.

OIDC and workload identity desired [ rather than SA key ]. BUT, how to acknowledge source?

If Cloud 'on' GCP --> https://docs.cloud.google.com/iam/docs/workload-identity-federation something like that. I am happy to configure workload identity on my side, or also things like https://docs.cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes

I can dig in more. Assuming collaboration desired.

Or, at least early tester.

@brucearctor
Copy link
Copy Markdown
Author

brucearctor commented May 5, 2026

@02strich ! :-p

We just spoke on the street leaving/going to replay as well.

I do not expect this to be used -- I opened a PR to start another method for communicating. Even better to meet in person, and setup email/etc. I'll happily close this, and take things to email, any helpful design docs, and getting wider collab going.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brucearctor @CLAassistant