docs(oidc): publish OIDC workload identity guides in public nav

[bsod90]

What

Enables links to the OIDC workload identity docs in the public navigation and makes them publicly discoverable.

• Nav: adds a Cube OIDC group as the last item under Deployment in docs.json, with the overview as root and AWS / GCP / Azure as sub-pages (mirrors the Dedicated Infrastructure pattern).
• Indexing: removes noindex: true from all four OIDC pages (index, aws, gcp, azure) so they're indexed alongside being in the nav.
• Closes a content gap: gcp.mdx had no Cube Store CSPS bucket section even though aws.mdx and azure.mdx do, and index.mdx already links GCP for CSPS. Now that GCP/GCS CSPS has shipped, this adds that section (service-account impersonation and direct federation, plus the Settings → Pre-Aggregation Storage fields) and points the index link at the new #cube-store-csps-bucket anchor.

Review notes

• Technical content was checked against the implementation: subject formats (cube:deployment:<id>:component:cube_store), audiences, env vars, token lifecycle, and the Test-connection flow all match.
• docs.json validated as JSON; the new <Steps>/<Step> blocks are balanced; internal anchors (#step-3-build-the-iam-bindings, #cube-store-csps-bucket) resolve.

🤖 Generated with Claude Code

[claude]

Claude finished @bsod90's task in 43s —— View job

---

Code Review

Docs-only PR — published OIDC guides in nav, removed noindex, added GCP CSPS section. Verified internal anchors (#step-3-build-the-iam-bindings, #cube-store-csps-bucket) resolve and mirror the AWS/Azure structure.

No blocking issues. One minor nit below; everything else looks good.

Full review (expand)

• Read diff and changed files
• Verified anchors and nav structure
• Checked for consistency with AWS/Azure equivalents

Findings

Nit — docs-mintlify/admin/deployment/oidc/gcp.mdx:329
The impersonation example binds workloadIdentityUser to the entire pool (…/cube-pool/*) without the --attribute-condition guard that the surrounding prose recommends ("paired with a provider --attribute-condition that constrains sub to end in :component:cube_store"). A reader copy-pasting this snippet will get a binding that lets any federated subject in the pool (including the main Cube API component) impersonate the Cube Store SA, defeating the component-level isolation the section opens with. Consider either:

• adding a comment in the snippet pointing back to the provider's --attribute-condition, or
• switching the default example to subject/cube:deployment:${DEPLOYMENT_ID}:component:cube_store (per-deployment), and mentioning the pool-wide form as the multi-tenant variant.

This is the same trade-off already called out in the bullet list above, so it's more a clarity nit than a correctness bug — but worth a one-line warning in the snippet itself since people copy code blocks more readily than they read the prose around them.

LGTM

• Removing noindex consistently across all four pages — good.
• docs.json addition follows the Dedicated Infrastructure pattern (root + pages) cleanly; trailing comma placement looks correct in context.
• New GCP CSPS section parallels the AWS/Azure ones in structure (grant → subject format → enable in Settings) and the Test Connection reference matches the existing index page guidance.
• Index link update from /admin/deployment/oidc/gcp → …#cube-store-csps-bucket correctly points at the new anchor.

• `docs/oidc-public-nav`

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
cubed3	🟢 Ready	View Preview	Jun 4, 2026, 10:09 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.