GCP Project Id — the GCP project that owns the Dataflow jobs.
GCP Location — the region to run Dataflow jobs in (e.g., us-central1).
Authentication methods
Service Account Key — Google Service Account Key (JSON, base64 or raw). Long-lived; rotate manually. Treat the JSON as a secret.
Application Default Credentials — resolves via the host environment's ADC chain. Convenient on GCP-hosted Polysync.
Workload Identity Federation ⭐ (recommended) — Google Workload Identity Provider, Google Service Account Email. Federates Polysync's Azure / AWS / OIDC identity into GCP, eliminating JSON keys.
Impersonated Service Account — Google Source Service Account Key (optional), Google Service Account Email. Useful for least-privilege delegation chains.
Permissions checklist
The chosen identity must hold Dataflow Developer (roles/dataflow.developer) on the project plus Service Account User on the worker service account.
For Workload Identity Federation, configure a Workload Identity Pool and Provider that trusts the Polysync host identity.