docs(enterprise): recommend cloud workload identity for CI traces storage

[sileht]

Lead with IAM role discovery / Application Default Credentials in both the
S3 and GCS sections so self-hosted operators land on the path that avoids
manual key rotation. Move AWS_ACCOUNT_ID/AWS_REGION and the
MERGIFYENGINE_AWS_* deprecation note into the access-key option, since
neither is needed when boto3 resolves credentials from the workload.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 🤖 Continuous Integration

Wonderful, this rule succeeded.

• all of:
  • check-success = build
  • check-success = lint
  • check-success = test
  • any of:
    • check-success = test-broken-links
    • label = ignore-broken-links
  • any of:
    • check-success=Cloudflare Pages
    • -head-repo-full-name~=^Mergifyio/

🟢 👀 Review Requirements

Wonderful, this rule succeeded.

• any of:
  • #approved-reviews-by >= 2
  • author = dependabot[bot]
  • author = mergify-ci-bot

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:

🟢 🔎 Reviews

Wonderful, this rule succeeded.

• #changes-requested-reviews-by = 0
• #review-requested = 0
• #review-threads-unresolved = 0

🟢 📕 PR description

Wonderful, this rule succeeded.

• body ~= (?ms:.{48,})

[Copilot]

Pull request overview

Updates the Enterprise “Advanced Features” documentation to emphasize using cloud-native identity/credential discovery (ADC on GCP, IAM role-based discovery on AWS) for CI traces object storage, reducing reliance on long-lived static keys and manual rotation.

Changes:

• Reordered GCS auth options to lead with Application Default Credentials (recommended), moving JSON key usage to a secondary option.
• Reworked S3 auth guidance to lead with IAM role discovery (recommended), moving access-key details (and related notes) into the access-key option.
• Adjusted the introduction copy to present workload-identity discovery as the primary mode across providers.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sileht]

Revision history

#	Type	Changes	Reason	Date
1	initial	7aa7ddf		2026-05-08 20:15 UTC
2	content	7aa7ddf → 450013c (raw)		2026-05-08 20:15 UTC

Pull request has been modified.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-05-12 07:30 UTC · Rule: default
• ✅ Checks passed · on draft merge queue: embarking main (7dc9dd9), #11453 and #11442 together #11461
• ✅ Merged — 2026-05-12 07:33 UTC · at f9c9bb8842f99f0d0dd6634d55d1f64529ba1964 · squash

This pull request spent 3 minutes 7 seconds in the queue, including 2 minutes 41 seconds running CI.

Required conditions to merge

• schedule=Mon-Fri 09:00-17:30[Europe/Paris]
• all of [🛡 Merge Protections rule Enforce conventional commit]:
  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:
    • docs(enterprise): recommend cloud workload identity for CI traces storage #11442
• all of [🛡 Merge Protections rule 👀 Review Requirements]:
  • any of:
    • #approved-reviews-by >= 2
      • docs(enterprise): recommend cloud workload identity for CI traces storage #11442
    • author = dependabot[bot]
      • docs(enterprise): recommend cloud workload identity for CI traces storage #11442
    • author = mergify-ci-bot
      • docs(enterprise): recommend cloud workload identity for CI traces storage #11442
• all of [🛡 Merge Protections rule 📕 PR description]:
  • body ~= (?ms:.{48,})
    • docs(enterprise): recommend cloud workload identity for CI traces storage #11442
• all of [🛡 Merge Protections rule 🔎 Reviews]:
  • #changes-requested-reviews-by = 0
    • docs(enterprise): recommend cloud workload identity for CI traces storage #11442
  • #review-requested = 0
    • docs(enterprise): recommend cloud workload identity for CI traces storage #11442
  • #review-threads-unresolved = 0
    • docs(enterprise): recommend cloud workload identity for CI traces storage #11442
• all of [🛡 Merge Protections rule 🤖 Continuous Integration]:
  • all of:
    • check-success = build
    • check-success = lint
    • check-success = test
    • any of:
      • check-success = test-broken-links
      • label = ignore-broken-links
        • docs(enterprise): recommend cloud workload identity for CI traces storage #11442
    • any of:
      • check-success=Cloudflare Pages
      • -head-repo-full-name~=^Mergifyio/
        • docs(enterprise): recommend cloud workload identity for CI traces storage #11442