Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

no support for google.auth.default #179

Open
jonathanelscpt opened this issue May 28, 2022 · 6 comments
Open

no support for google.auth.default #179

jonathanelscpt opened this issue May 28, 2022 · 6 comments
Labels
feature request

Comments

@jonathanelscpt
Copy link

jonathanelscpt commented May 28, 2022
edited
Loading

To support CI workflows building off gh actions, I'd like to use the recommended auth method using google.auth.default with google-github-actions/[email protected] - https://github.com/google-github-actions/auth.

This would (hopefully) allow the following, using the more modern google.auth lib:

    gauth = GoogleAuth()
    try:
        gauth.credentials = ServiceAccountCredentials.from_json_keyfile_name(LOCAL_KEY, SCOPES)  # support local dev
    except FileNotFoundError:
        credentials, _ = google.auth.default(SCOPES)  # prod
        gauth.credentials = credentials

This is defined here:
https://google-auth.readthedocs.io/en/master/user-guide.html

Unfortunately forcing auth with a local service account key file is a poor security implementation, and not really acceptable for cloud CI.
This was referenced May 28, 2022
Merged
Closed
@jonathanelscpt
Copy link
Author

@junpeng-jp will test after merge

@jonathanelscpt
Copy link
Author

Fixing this should also support:

from google.oauth2.service_account import Credentials

credentials = Credentials.from_service_account_file(key_file, scopes)

@jonathanelscpt
Copy link
Author

A working alternative until this is implemented is to use this after reading key from env:

oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_dict()

@junpeng-jp
Copy link

junpeng-jp commented May 30, 2022
edited
Loading

hey @jonathanelscpt, the GoogleAuth in this library supports file-based service auth through:

  1. specifying the service credential file name in the yaml config under service_config > client_json_file_path or specifying the GOOGLE_APPLICATION_CREDENTIALS environment variable and setting service_config > use_default = True
  2. instantiate GoogleAuth
  3. run the ServiceAuth method which would:
    • reads the service credential json path
    • use the from_service_account_file class method (see here) to create the service account credentials

@junpeng-jp
Copy link

junpeng-jp commented May 30, 2022
edited
Loading

At least, this is how it would be after my pull request above has been merged. Because the entire library's google auth is driven by the .yaml config file, I've kept to the same design whilst I was working to migrate from oauth2client -> google-auth

@shcheklein shcheklein mentioned this issue Jul 24, 2022
Open
@shcheklein
Copy link
Member

For the record, current implementation supports reading from a dict, from ENV, etc. I'm not sure about the default credentials. It depends on the underlying implementation for them.

@shcheklein shcheklein mentioned this issue Nov 13, 2022
Open
@wasimsandhu wasimsandhu mentioned this issue Nov 22, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shcheklein @jonathanelscpt @junpeng-jp