Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for external IdP OIDC token retrieval for Google Cloud Operators. #39873

Merged
merged 6 commits into from
Jun 11, 2024
Merged

Add support for external IdP OIDC token retrieval for Google Cloud Operators. #39873

merged 6 commits into from
Jun 11, 2024

Conversation

dybolo
Copy link
Contributor

@dybolo dybolo commented May 27, 2024
edited
Loading

This feature enables OIDC token retrieval from any generic Identity Provider (IdP) that uses the OAuth 2.0 Credentials Grant Flow. Additionally, it lays the groundwork for integrating other custom OIDC token retrieval methods.

Google SDK supports defining custom classes for retrieving OIDC tokens for authentication via Workload Identity Federation. This pull request introduces a class that implements this functionality using Credentials Grant Flow and implements a caching mechanism, which can be extended to new classes.

related: #35899

Co-authored-by: @gazev

@boring-cyborg boring-cyborg bot added area:providers provider:google Google (including GCP) related issues labels May 27, 2024
@dybolo dybolo force-pushed the google_cloud_extra_auth branch from 15f5961 to 8c027c9 Compare May 27, 2024 14:49
@potiuk
Copy link
Member

potiuk commented May 28, 2024

@VladaZakharova -> maybe your team can review it ?

@VladaZakharova
Copy link
Contributor

@VladaZakharova -> maybe your team can review it ?

yes, sure!

@potiuk
Copy link
Member

potiuk commented Jun 8, 2024

Does it look good @moiseenkov ? Also @dybolo - you need to resolve conflicts now.

@dybolo dybolo force-pushed the google_cloud_extra_auth branch from 35fb452 to a509d85 Compare June 9, 2024 13:02
dybolo and others added 5 commits June 9, 2024 14:42
@dybolo @vugonz
Add support for external IdP OIDC token retrieval
ee193fe 
using OAuth2.0 Crient Credentials Grant for
Google Cloud Operators.

This feature enables OIDC token retrieval from
any generic Identity Provider (IdP) that uses the OAuth 2.0
Credentials Grant Flow. Additionally, it lays the groundwork
for integrating other custom OIDC token retrieval methods.

related: apache#35899

Co-authored-by: Gonçalo Azevedo <goncalo.r.azevedo@tecnico.ulisboa.pt>
@dybolo
test: changed test_base_google.py to address base_google changes.
16d71af
@dybolo
fix: fixed spelling error in external_token_supplier
854b5d0
@vugonz @dybolo
fix: add typehints and fix _get_info_from_credential_configuration_fi…
f16dc83 
…le function
@dybolo
test: added tests for _get_info_from_credential_configuration_file.
cee623c
@dybolo dybolo force-pushed the google_cloud_extra_auth branch from a509d85 to cee623c Compare June 9, 2024 13:47
@potiuk potiuk merged commit a586ea8 into apache:main Jun 11, 2024
49 checks passed
potiuk added a commit to potiuk/airflow that referenced this pull request Jun 12, 2024
@potiuk
Bump minimum version of google auth
0127543 
The apache#39873 added an implicit dependency to google auth > 2.29.0
because it uses SubjectTokenSupplier added in that version.

Our "Lowest-direct" tests caught it (yay!) so we should add the
min requirement to the dependency.
@potiuk potiuk mentioned this pull request Jun 12, 2024
Merged
potiuk added a commit that referenced this pull request Jun 12, 2024
@potiuk
Bump minimum version of google auth (#40190)
23a0152 
The #39873 added an implicit dependency to google auth > 2.29.0
because it uses SubjectTokenSupplier added in that version.

Our "Lowest-direct" tests caught it (yay!) so we should add the
min requirement to the dependency.
@eladkal eladkal mentioned this pull request Jun 22, 2024
Closed
96 tasks
romsharon98 pushed a commit to romsharon98/airflow that referenced this pull request Jul 26, 2024
@dybolo @vugonz @romsharon98
Add support for external IdP OIDC token retrieval for Google Cloud Op…
bf14758 
…erators. (apache#39873)

* Add support for external IdP OIDC token retrieval
using OAuth2.0 Crient Credentials Grant for
Google Cloud Operators.

This feature enables OIDC token retrieval from
any generic Identity Provider (IdP) that uses the OAuth 2.0
Credentials Grant Flow. Additionally, it lays the groundwork
for integrating other custom OIDC token retrieval methods.

related: apache#35899

Co-authored-by: Gonçalo Azevedo <goncalo.r.azevedo@tecnico.ulisboa.pt>

---------

Co-authored-by: Gonçalo Azevedo <goncalo.r.azevedo@tecnico.ulisboa.pt>
romsharon98 pushed a commit to romsharon98/airflow that referenced this pull request Jul 26, 2024
@potiuk @romsharon98
Bump minimum version of google auth (apache#40190)
3d594d8 
The apache#39873 added an implicit dependency to google auth > 2.29.0
because it uses SubjectTokenSupplier added in that version.

Our "Lowest-direct" tests caught it (yay!) so we should add the
min requirement to the dependency.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vugonz vugonz vugonz left review comments

@moiseenkov moiseenkov moiseenkov approved these changes

@potiuk potiuk potiuk approved these changes

Assignees
No one assigned
Labels
area:providers provider:google Google (including GCP) related issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dybolo @potiuk @VladaZakharova @moiseenkov @vugonz