feat(google client): Enable to specify the service account to proxy function of scheduler in google client sdk #6013
Conversation
|
Hi @toshitanian. Thanks for your PR. I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/assign @ji-yaqi |
|
@ji-yaqi Hi, how this looks like? we are planning to use this SDK. So i’m really appreciate if you could take a look! |
…nd cloud scheduler job
toshitanian
force-pushed
the
google_client_specify_sa_to_proxy_function_of_scheduler
branch
from
dc344a9
to
bdd5955
Compare
|
@ji-yaqi |
| @@ -368,6 +368,7 @@ def create_schedule_from_job_spec( | |||
| service_account: Optional[str] = None, | |||
| enable_caching: Optional[bool] = None, | |||
| app_engine_region: Optional[str] = None, | |||
| service_account_for_schedule: Optional[str] = None, | |||
There was a problem hiding this comment.
Can we update the name to cloud_scheduler_service_account to better reflect the name? Otherwise LGTM, thanks!
sdk/python/.python-version
Outdated
| @@ -0,0 +1 @@ | |||
| 3.7.6 | |||
There was a problem hiding this comment.
Thanks for the change! One more nit, what is this file for?
There was a problem hiding this comment.
Ah, sorry. That's the file of my environment. Will remove...
There was a problem hiding this comment.
@ji-yaqi Removed and force pushed the latest commit!
toshitanian
force-pushed
the
google_client_specify_sa_to_proxy_function_of_scheduler
branch
from
77c18d7
to
87dd886
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ji-yaqi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Thanks! |
Description of your changes:
When AI platform SDK creates a scheduled job, it makes a Cloud scheduler job and a cloud function to proxy from scheduler job to AI platform endpoint. Now the service account of the function is fixed to the service account of App Engine default. So the function fails to call AI platform endpoint when it does not have appropriate permission.
In this pull request, we'll be able to attach a individual service account to the function that should have access to call the AI Platform endpoint. If the parameter is not specified, the SDK does not give the parameter to cloud functions API and the default service account will be used by default.
Checklist: