tusd: Use GCS upload backend when the endpoint matches.

This works around tus/tusd#322, which in turn is caused by
aws/aws-sdk-go-v2#1816.  This requires separate authentication via
service account key.

Fixes: #34186.

docs/production/upload-backends.md

@@ -66,6 +66,25 @@ uploading files, this process does not upload them to Amazon S3; see
 [migration instructions](#migrating-from-local-uploads-to-amazon-s3-backend)
 below for those steps.
 
+### Google Cloud Platform
+
+In addition to configuring `settings.py` as suggested above:
+
+```python
+S3_AUTH_UPLOADS_BUCKET = "..."
+S3_AVATAR_BUCKET = "..."
+S3_ENDPOINT_URL = "https://storage.googleapis.com"
+S3_SKIP_CHECKSUM = True
+```
+
+...and adding `s3_key` and `s3_secret_key` in `/etc/zulip/zulip-secrets.conf`,
+you will need to also add a `/etc/zulip/gcp_key.json` which contains a [service
+account key][gcp-key] with "Storage Object Admin" permissions on the uploads
+bucket. This is used by the `tusd` chunked upload service when receiving file
+uploads from clients.
+
+[gcp-key]: https://cloud.google.com/iam/docs/keys-create-delete
+
 ## S3 local caching
 
 For performance reasons, Zulip stores a cache of recently served user

zerver/management/commands/runtusd.py

@@ -63,6 +63,12 @@ class Command(BaseCommand):
         if settings.LOCAL_UPLOADS_DIR is not None:
             assert settings.LOCAL_FILES_DIR is not None
             tusd_args.append(f"-upload-dir={settings.LOCAL_FILES_DIR}")
+        elif settings.S3_ENDPOINT_URL in (
+            "https://storage.googleapis.com",
+            "https://storage.googleapis.com/",
+        ):
+            tusd_args.append(f"-gcs-bucket={settings.S3_AUTH_UPLOADS_BUCKET}")
+            env_vars["GCS_SERVICE_ACCOUNT_FILE"] = "/etc/zulip/gcp_key.json"
         else:
             tusd_args.append(f"-s3-bucket={settings.S3_AUTH_UPLOADS_BUCKET}")
             if settings.S3_ENDPOINT_URL is not None: