-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make GCP OAuth scopes configurable via pipeline options. #23644
Conversation
This allows users to limit scopes dependent on their pipeline. fixes apache#23290
…d to pass in a default instance
Codecov Report
@@ Coverage Diff @@
## master #23644 +/- ##
=======================================
Coverage 73.33% 73.33%
=======================================
Files 719 719
Lines 95795 95794 -1
=======================================
+ Hits 70248 70252 +4
+ Misses 24236 24231 -5
Partials 1311 1311
Flags with carried forward coverage won't be shown. Click here to find out more.
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Stopping reviewer notifications for this pull request: review requested by someone other than the bot, ceding control |
@@ -169,7 +161,7 @@ def _get_service_credentials(pipeline_options): | |||
return None | |||
|
|||
@staticmethod | |||
def _add_impersonation_credentials(credentials, pipeline_options): | |||
def _add_impersonation_credentials(credentials, scopes, pipeline_options): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a reason we add a param instead of retrieving from pipeline_options?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed. I also dropped the logic here since PipelineOptions will now always be passed in.
Drop the non pipelineoptions routes in _add_impersonation_...
Thank you |
Run Java PreCommit |
…che#23644)" This reverts commit fdb1223.
@lukecwik Can you explain how this works? I upgraded Beam to version to 2.43.0, added the following:
But still get
|
It looks like the error your getting is from BigQuery trying to access Drive on your behalf and not from Dataflow trying to access Drive. How are you trying to get BigQuery to access Drive from Dataflow (is it via your own code or is it via cross language IO connector or ...)? |
I'm not using Dataflow. This job is running as a cronjob in Kubernetes and the credentials come from a service account. I can confirm the service account has the required role to access the BigQuery table, and the underlying Google Drive file is shared with the service account email. This same setup used to work just fine with my patched version of Beam that added the needed Auth scope. Also worth noting that the error message I mentioned is what I get when the Drive Auth scope is missing as reported in the previous issue. Update: I forked the latest 2.43.0 release, hard-coded the needed auth scope in the |
note that when setting |
According to the official documentation that is not the case when using the |
I stand corrected, you don't need to repeat the default options.
I am not sure what is going on then. I would print the content of the defined scopes and A/B test both cases. |
I tried supplying the option on the command line and can see that it is being populated correctly, but don't have a readily-available pipeline that I can use to meaningfully test a different scope. |
This allows users to limit scopes dependent on their pipeline.
fixes #23290
Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:
R: @username
).addresses #123
), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, commentfixes #<ISSUE NUMBER>
instead.CHANGES.md
with noteworthy changes.See the Contributor Guide for more tips on how to make review process smoother.
To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md
GitHub Actions Tests Status (on master branch)
See CI.md for more information about GitHub Actions CI.