Securely Calling Google Cloud (Vertex AI) from Convex via Workload Identity Federation
Hiya, another vibe coder here. A friend and I (neither developers) have just been on a marathon journey to get what we thought would be a simple integration working: calling the Google Cloud Vertex AI (Gemini) API from a Convex action, but using Workload Identity Federation (WIF) to avoid service account keys.
We got it working in the end, but the path was complex! We wanted to share our final, working solution and also ask the community and the Convex team: is this the best way, or did we miss a simpler, built-in method? (after all the work, I kinda hope our way is the only way)
We wanted to call a GCP API from a Convex action using a token generated by a GitHub Action, with no secret keys checked into source control or stored in environment variables.
Our first attempts using the official google-auth-library for Node.js inside a "use node"; action failed. We ran into a series of environmental incompatibilities, from errors about process.stdin and file systems (/dev/null) to the library not supporting the credential sources we tried.
After a lot of debugging, we landed on a pattern that involves three parts: a GitHub Action, a public Convex httpAction, and the private Convex action that does the work.
After getting this all working, we had to laugh and wonder if we'd just built a complex solution for a problem that Convex might have a simpler answer for.
Is this "HTTP Wrapper -> scheduled Node.js Action" the idiomatic/best practice for this scenario?
Did we miss a simpler way? Is there a built-in tool or a known compatible way to use the google-auth-library for Workload Identity Federation that we overlooked?
How have others in the community approached this?
Thanks for reading! Cheers from a dev in London.
3 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!
hmm. I'm not sure if there is. most teams just store credentials in the server environment
gotcha, thanks 🙂