melugoyal commented on PR #35694:
URL: https://github.com/apache/airflow/pull/35694#issuecomment-1823578502
test DAG:
```
from airflow.providers.google.cloud.operators.gcs import
GCSCreateBucketOperator
from airflow import DAG
from datetime import datetime
with DAG(
dag_id="gcp-test", schedule="@once", start_date=datetime(2023, 1, 1),
is_paused_upon_creation=False, catchup=False
) as dag:
GCSCreateBucketOperator(
task_id="gcscreate",
bucket_name="test-mehulg",
gcp_conn_id="gcp_test",
impersonation_chain="test-sa-in-c...@project.iam.gserviceaccount.com",
)
```
with connection `gcp_test` specified without the `impersonation_chain` set:
` File
"/usr/local/lib/python3.11/site-packages/google/auth/impersonated_credentials.py",
line 100, in _make_iam_token_request
raise exceptions.RefreshError(_REFRESH_ERROR, response_body)
google.auth.exceptions.RefreshError: (\'Unable to acquire impersonated
credentials\', \'{\
"error": {\
"code": 404,\
"message": "Not found; Gaia id not found for email
test-sa-in-c...@project.iam.gserviceaccount.com",\
"status": "NOT_FOUND"\
}\
}\
\')`
so it attempted to use `test-sa-in-c...@project.iam.gserviceaccount.com`
from the DAG code. note the error is expected, since that is a fake service
account and i'm not actually setting up any IAM policies
with impersonation_chain in connection `gcp_test` set to
`test-sa-in-connect...@project.iam.gserviceaccount.com`
<img width="693" alt="image"
src="https://github.com/apache/airflow/assets/4218638/eb7d0681-91e5-46fd-97be-575e60a28aef";>
`File
"/usr/local/lib/python3.11/site-packages/google/auth/impersonated_credentials.py",
line 100, in _make_iam_token_request
raise exceptions.RefreshError(_REFRESH_ERROR, response_body)
google.auth.exceptions.RefreshError: (\'Unable to acquire impersonated
credentials\', \'{\
"error": {\
"code": 404,\
"message": "Not found; Gaia id not found for email
test-sa-in-c...@project.iam.gserviceaccount.com",\
"status": "NOT_FOUND"\
}\
}\
\')`, same error, indicating that as expected the `impersonation_chain` from
the code takes precedence.
now redeployed the DAG removing the impersonation_chain specified in code:
`File
"/usr/local/lib/python3.11/site-packages/google/auth/impersonated_credentials.py",
line 100, in _make_iam_token_request
raise exceptions.RefreshError(_REFRESH_ERROR, response_body)
google.auth.exceptions.RefreshError: (\'Unable to acquire impersonated
credentials\', \'{\
"error": {\
"code": 404,\
"message": "Not found; Gaia id not found for email
test-sa-in-connect...@project.iam.gserviceaccount.com",\
"status": "NOT_FOUND"\
}\
}\
\')`
as expected, it attempted to use the service account specified in the
connection.
with impersonation chain in `gcp_test` updated to
`test-first-sa-in-connect...@project.iam.gserviceaccount.com,
test-sa-in-connect...@project.iam.gserviceaccount.com`
<img width="1093" alt="image"
src="https://github.com/apache/airflow/assets/4218638/b3497eff-513a-4e8b-a8d1-7eb7f621e814";>
`File
"/usr/local/lib/python3.11/site-packages/google/auth/impersonated_credentials.py",
line 100, in _make_iam_token_request
raise exceptions.RefreshError(_REFRESH_ERROR, response_body)
google.auth.exceptions.RefreshError: (\'Unable to acquire impersonated
credentials\', \'{\
"error": {\
"code": 404,\
"message": "Not found; Gaia id not found for email
test-first-sa-in-connect...@project.iam.gserviceaccount.com",\
"status": "NOT_FOUND"\
}\
}\
\')`
as expected, it attempted to use the first service account specified in the
connection
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
