feat(gcp): add GKE Workload Identity support via Application Default Credentials

[rajatvig]

Description

Add support for GKE Workload Identity via Application Default Credentials (ADC).

When neither credentialsFile nor workloadIdentityFederationConfig is specified
in BackendSecurityPolicyGCPCredentials, the extproc now uses ADC to obtain tokens
dynamically. This enables GKE Workload Identity without additional configuration,
matching the existing AWS IRSA/Pod Identity pattern.

Related Issues/PRs (if applicable)

Special notes for reviewers (if applicable)

This PR was developed with AI assistance (Claude). All changes were reviewed by human.

[dosubot]

Related Documentation

3 document(s) may need updating based on files changed in this PR:

Envoy's Space

connect-providers /ai-gateway/blob/main/site/docs/capabilities/llm-integrations/connect-providers.md

View Suggested Changes

@@ -170,12 +170,33 @@
 
 ##### GCP Credentials
 
-Used for connecting to GCP Vertex AI and Anthropic on GCP
-
-1. Service Account Key Files:
-   A service account key file is a JSON file containing a private key that authenticates as a service account.
-   You create a service account in GCP, generate a key file, download it, and then store it in the k8s secret referenced by BackendSecurityPolicy.
-   Envoy AI Gateway uses this key file to generate an access token and authenticate with GCP Vertex AI.
+Used for connecting to GCP Vertex AI and Anthropic on GCP. Supports three authentication methods:
+
+**Option 1: Application Default Credentials (Recommended for GKE)**
+
+When running on GKE, Application Default Credentials (ADC) automatically uses GKE Workload Identity. Simply configure the project and region:
+
+```yaml
+apiVersion: aigateway.envoyproxy.io/v1beta1
+kind: BackendSecurityPolicy
+metadata:
+  name: gcp-auth
+spec:
+  type: GCPCredentials
+  gcpCredentials:
+    projectName: "your-gcp-project"
+    region: "us-central1"
+    # No credentialsFile or workloadIdentityFederationConfig needed - automatically uses:
+    # - GKE Workload Identity (if ServiceAccount is bound to GCP service account)
+    # - GOOGLE_APPLICATION_CREDENTIALS environment variable
+    # - Default service account credentials (when running on GCP)
+```
+
+This is similar to how AWS authentication works with EKS Pod Identity and IRSA, making GKE Workload Identity configuration simple without explicit credential configuration.
+
+**Option 2: Service Account Key Files**
+
+A service account key file is a JSON file containing a private key that authenticates as a service account. You create a service account in GCP, generate a key file, download it, and then store it in the k8s secret referenced by BackendSecurityPolicy. Envoy AI Gateway uses this key file to generate an access token and authenticate with GCP Vertex AI.
 
 ```yaml
 apiVersion: aigateway.envoyproxy.io/v1beta1
@@ -193,9 +214,9 @@
         name: envoy-ai-gateway-basic-gcp-service-account-key-file
 ```
 
-2. Workload Identity Federation:
-   Workload Identity Federation is a modern, keyless authentication method that allows workloads running outside of GCP to impersonate a service account using their own native identity.
-   It leverages a trust relationship between GCP and an external identity provider such as OIDC.
+**Option 3: Workload Identity Federation**
+
+Workload Identity Federation is a modern, keyless authentication method that allows workloads running outside of GCP to impersonate a service account using their own native identity. It leverages a trust relationship between GCP and an external identity provider such as OIDC.
 
 ```yaml
 apiVersion: aigateway.envoyproxy.io/v1beta1

[Accept] [Decline]

gcp-vertexai /ai-gateway/blob/main/site/docs/getting-started/connect-providers/gcp-vertexai.md

View Suggested Changes

@@ -19,17 +19,59 @@
 - Basic setup completed from the [Basic Usage](../basic-usage.md) guide
 - Basic configuration removed as described in the [Advanced Configuration](./index.md) overview
 
-## GCP Credentials Setup
-
-Ensure you have:
-
-1. Your GCP project id and name.
-2. In your GCP project, enable VertexAI API access.
-3. Create a GCP service account and generate the JSON key file.
-
-:::tip GCP Best Practices
-Consider using GCP Workload Identity (Federation)/IAM roles and limited-scope credentials for production environments.
-:::
+## Authentication Options
+
+Envoy AI Gateway supports three authentication methods for GCP VertexAI:
+
+1. **Application Default Credentials (ADC)** - Recommended for GKE deployments
+2. **Service Account Key Files** - Using explicit JSON credentials
+3. **Workload Identity Federation** - For cross-cloud authentication
+
+### Option 1: Application Default Credentials (Recommended)
+
+When running on GKE, you can use Application Default Credentials (ADC) without managing service account key files. This is the most secure option as it uses GKE Workload Identity, which automatically handles credential rotation.
+
+**Prerequisites:**
+1. Your GCP project id and name
+2. VertexAI API enabled in your GCP project
+3. GKE cluster configured with [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
+4. Kubernetes service account bound to a GCP service account with VertexAI permissions
+
+**Configuration:**
+
+Create a `BackendSecurityPolicy` without specifying `credentialsFile` or `workloadIdentityFederationConfig`:
+
+```yaml
+apiVersion: aigateway.envoyproxy.io/v1beta1
+kind: BackendSecurityPolicy
+metadata:
+  name: gcp-adc-policy
+  namespace: default
+spec:
+  targetRefs:
+    - kind: AIServiceBackend
+      group: aigateway.envoyproxy.io
+      name: your-backend-name
+  type: GCPCredentials
+  gcpCredentials:
+    projectName: YOUR_GCP_PROJECT_NAME
+    region: us-central1
+```
+
+The system will automatically use ADC, which supports:
+- GKE Workload Identity (when properly configured)
+- `GOOGLE_APPLICATION_CREDENTIALS` environment variable
+- Default service account when running on GCP
+
+### Option 2: Service Account Key Files
+
+For non-GKE environments or when explicit credentials are needed:
+
+**Prerequisites:**
+1. Your GCP project id and name
+2. VertexAI API enabled in your GCP project
+3. GCP service account created with VertexAI permissions
+4. Service account JSON key file generated
 
 ## Configuration Steps
 
@@ -48,7 +90,8 @@
 - Update the generated service account key JSON string in the secret
 
 :::caution Security Note
-Make sure to keep your GCP service account credentials secure and never commit them to version control.
+Service account key files should be avoided in production when possible. Use ADC/Workload Identity instead.
+If you must use key files, keep them secure and never commit them to version control.
 The credentials will be stored in Kubernetes secrets.
 :::
 

[Accept] [Decline]

supported-providers /ai-gateway/blob/main/site/docs/capabilities/llm-integrations/supported-providers.md

View Suggested Changes

@@ -16,8 +16,8 @@
 | [AWS Bedrock](https://docs.aws.amazon.com/bedrock/latest/APIReference/)                                   |                                        `{"name":"AWSBedrock"}`                                         |                 [AWS Bedrock Credentials]                 |   ✅   |                                                                                                                                                        |
 | [Azure OpenAI](https://learn.microsoft.com/en-us/azure/ai-services/openai/reference)                      | `{"name":"AzureOpenAI","version":"2025-01-01-preview"}` or `{"name":"OpenAI", "prefix": "/openai/v1"}` |          [Azure Credentials] or [Azure API Key]           |   ✅   |                                                                                                                                                        |
 | [Google Gemini on AI Studio](https://ai.google.dev/gemini-api/docs/openai)                                |                             `{"name":"OpenAI","prefix":"/v1beta/openai"}`                              |                         [API Key]                         |   ✅   | Only the OpenAI compatible endpoint                                                                                                                    |
-| [Google Vertex AI](https://cloud.google.com/vertex-ai/docs/reference/rest)                                |                                        `{"name":"GCPVertexAI"}`                                        |                     [GCP Credentials]                     |   ✅   |                                                                                                                                                        |
-| [Anthropic on GCP Vertex AI](https://cloud.google.com/vertex-ai/generative-ai/docs/partner-models/claude) |                        `{"name":"GCPAnthropic", "version":"vertex-2023-10-16"}`                        |                     [GCP Credentials]                     |   ✅   | Support both Native Anthropic messages endpoint and OpenAI compatible endpoint                                                                         |
+| [Google Vertex AI](https://cloud.google.com/vertex-ai/docs/reference/rest)                                |                                        `{"name":"GCPVertexAI"}`                                        |                     [GCP Credentials]                     |   ✅   | Supports Application Default Credentials (ADC), Service Account Key Files, and Workload Identity Federation                                            |
+| [Anthropic on GCP Vertex AI](https://cloud.google.com/vertex-ai/generative-ai/docs/partner-models/claude) |                        `{"name":"GCPAnthropic", "version":"vertex-2023-10-16"}`                        |                     [GCP Credentials]                     |   ✅   | Support both Native Anthropic messages endpoint and OpenAI compatible endpoint. Supports Application Default Credentials (ADC), Service Account Key Files, and Workload Identity Federation |
 | [Groq](https://console.groq.com/docs/openai)                                                              |                               `{"name":"OpenAI","prefix":"/openai/v1"}`                                |                         [API Key]                         |   ✅   |                                                                                                                                                        |
 | [Grok](https://docs.x.ai/docs/api-reference?utm_source=chatgpt.com#chat-completions)                      |                                   `{"name":"OpenAI","prefix":"/v1"}`                                   |                         [API Key]                         |   ✅   |                                                                                                                                                        |
 | [Together AI](https://docs.together.ai/docs/openai-api-compatibility)                                     |                                   `{"name":"OpenAI","prefix":"/v1"}`                                   |                         [API Key]                         |   ✅   |                                                                                                                                                        |

[Accept] [Decline]

Note: You must be authenticated to accept/decline updates.

^{How did I do? Any feedback?}  

[codecov-commenter]

Codecov Report

❌ Patch coverage is 97.29730% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 84.35%. Comparing base (0ef2687) to head (ec6226c).

Files with missing lines	Patch %	Lines
internal/backendauth/gcp.go	95.65%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1979      +/-   ##
==========================================
+ Coverage   84.33%   84.35%   +0.01%     
==========================================
  Files         130      130              
  Lines       17986    18008      +22     
==========================================
+ Hits        15169    15190      +21     
- Misses       1873     1874       +1     
  Partials      944      944              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.