Add Impersonate Service Account argument#2015
Add Impersonate Service Account argument#2015wintermi wants to merge 9 commits intodataform-co:mainfrom
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
+1, this would enable to use impersonation in CI rather than giving the rights directly to the CI service account. |
|
/gcbrun |
| clientConfig.authClient = new Impersonated({ | ||
| sourceClient: authClient, | ||
| targetPrincipal: this.bigQueryCredentials.impersonateServiceAccount, | ||
| targetScopes: ['https://www.googleapis.com/auth/cloud-platform'] |
There was a problem hiding this comment.
Not sure what you would like done here?
There was a problem hiding this comment.
I mean using EXTRA_GOOGLE_SCOPES here instead of hard-coding
|
@wintermi, in the current version tests are failing due to linter checks: output You can check errors using this lint script. |
|
Resynced the PR with the latest commit |
Fixed the linter issues |
|
@kolina ready for retesting, thanks |
|
/gcbrun |
| clientConfig.authClient = new Impersonated({ | ||
| sourceClient: authClient, | ||
| targetPrincipal: this.bigQueryCredentials.impersonateServiceAccount, | ||
| targetScopes: ['https://www.googleapis.com/auth/cloud-platform'] |
There was a problem hiding this comment.
I mean using EXTRA_GOOGLE_SCOPES here instead of hard-coding
…st' commands and the required changes to allow for the impersonation of service accounts without the need to change ADC
…st' commands and the required changes to allow for the impersonation of service accounts without the need to change ADC
|
I removed the |
|
I added a IMPERSONATION_GOOGLE_SCOPES as the EXTRA_GOOGLE_SCOPES only mention drive. |
| projectId = projectId || this.bigQueryCredentials.projectId; | ||
| if (!this.clients.has(projectId)) { | ||
| this.clients.set( | ||
| const clientConfig: any = { |
There was a problem hiding this comment.
BigQueryOptions instead of any?
| projectId, | ||
| new BigQuery({ | ||
| scopes: EXTRA_GOOGLE_SCOPES, |
There was a problem hiding this comment.
Are projectId and scopes here used by the auth library if you ovewrite authClient? If they're not used in this case, I'd only set them in else branch below
| projectId, | ||
| scopes: EXTRA_GOOGLE_SCOPES, | ||
| location: this.bigQueryCredentials.location, | ||
| scopes: IMPERSONATION_GOOGLE_SCOPES, |
There was a problem hiding this comment.
Let's add an explaining comment why we're passing different set of scopes with impersonation and without
| getCredentialsPath(argv[projectDirOption.name], argv[credentialsOption.name]) | ||
| ); | ||
| if (argv[impersonateServiceAccountOption.name]) { | ||
| (readCredentials as any).impersonateServiceAccount = |
There was a problem hiding this comment.
Can we extend dataform.IBigQuery with your new option to avoid dynamic casts breaking static typing?
| return `${value} ${units[i]}`; | ||
| } | ||
|
|
||
| const DURATION_UNITS_IN_MILLIS: { [unit: string]: number } = { |
There was a problem hiding this comment.
Can you please elaborate about the effort to avoid it and upgrade parse-duration dependency?
| import Long from "long"; | ||
| import { PromisePoolExecutor } from "promise-pool-executor"; | ||
|
|
||
| import { BigQuery, GetTablesResponse, TableField, TableMetadata } from "@google-cloud/bigquery"; |
There was a problem hiding this comment.
It seems to break lint checks
Step #1: ERROR: /workspace/cli/api/dbadapters/bigquery.ts:4:1 - Import sources within a group must be alphabetized.
Step #1: ERROR: /workspace/cli/api/dbadapters/bigquery.ts:5:1 - Imports from this module are not allowed in this group. The expected groups (in order) are: external, internal.
| throw new Error("Duration cannot be empty."); | ||
| } | ||
|
|
||
| if (/^[+-]?\d+(\.\d+)?$/.test(normalizedDuration)) { |
There was a problem hiding this comment.
Lint checks are failing
Step #1: ERROR: /workspace/cli/util.ts:90:7 - Unsafe Regular Expression
Step #1: ERROR: /workspace/cli/util.ts:97:27 - Unsafe Regular Expression
3 participants
This PR adds an
--impersonate-service-accountargument to therunandtestcommands, along with the required changes to allow for the impersonation of service accounts without the need to change ADC or callgcloudThis would resolve issue #2000 and would be an alternative to solution than PR #2001
Impersonation could then be achieved by executing: