add same-account storage integrations for azure and gcp#22
Merged
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
chunglu-chou
approved these changes
Feb 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
generalizes AWS's approach for same-account storage integration auth for GCP and Azure.
Note
Medium Risk
Introduces new cloud IAM principals/keys and changes IAM binding semantics and TLS policy configuration, which can affect access and cluster provisioning if misconfigured.
Overview
Adds same-account storage integration support for Azure and GCP so the in-cluster data importer can read customer storage without manual credentials: Azure now provisions an Azure AD application/service principal with a subscription-scope
Storage Blob Data Readerassignment and publishes the client secret + tenant/client IDs via k8s secrets/configmap outputs; GCP now provisions a dedicated service account + key withstorage.objectViewerand stores the decoded key JSON as a Kubernetes secret.Tightens/adjusts infra and CI details: AWS storage integration IAM is reduced from
AmazonS3FullAccessto a minimal inline S3 read policy, GCP Workload Identity bindings for writer service accounts switch from an authoritative binding to per-member resources, GCP public ingress now enforces a modern TLS policy viaSSLPolicy/FrontendConfig, and all cloud E2E workflows now set the default Pulumi org before running the wizard. Also bumps the wizard’s pinnedPINECONE_VERSIONand adds thepulumi-azureaddependency (lockfile updated).Written by Cursor Bugbot for commit 4f31f46. This will update automatically on new commits. Configure here.