According to Google Cloud Storage origin (private) | Fastly Developer Hub, static credentials from a Google service account are required in order to use a private bucket.
I would like to know if it’s possible to use GCP service account impersonation as an alternative to pull from the origin. Main benefit is to be able to use short-lived credentials.
Interesting. It’s possible that you may be able to use the GCP SDK for JavaScript, Rust or Go to generate a signed URL for a GCS resource at runtime in a Fastly compute service… however to do that you would need to be authenticated as a principal that has to rights to impersonate the SA which I would have thought would defeat the point of using short lived credentials.
It seems like service accounts can generate a bunch of different token formats, so it should be possible to create signed URLs using a short lived token generated from a SA, but you’d probably need to push those credentials into your Fastly service regularly as they expire, eg using a config store.