m1racoli commented on code in PR #36341: URL: https://github.com/apache/airflow/pull/36341#discussion_r1455033407
########## airflow/providers/google/cloud/hooks/bigquery.py: ########## @@ -3247,6 +3259,36 @@ def _format_schema_for_description(schema: dict) -> list: return description +class ImpersonationToken: + """Simulate the interface of gcloud.aio.auth.token.BaseToken and generate impersonation_chain access_token.""" + + def __init__(self, project_id: str | None, impersonation_chain: str) -> None: + self.project_id = project_id + self.impersonation_chain = impersonation_chain + + async def get_project(self) -> str | None: + project = ( + self.project_id + or os.environ.get("GOOGLE_CLOUD_PROJECT") + or os.environ.get("GCLOUD_PROJECT") + or os.environ.get("APPLICATION_ID") + ) + return project + + async def get(self) -> str | None: + creds, _ = google.auth.default() + + target_principal, _ = _get_target_principal_and_delegates(self.impersonation_chain) + impersonated_creds = impersonated_credentials.Credentials( + source_credentials=creds, + target_principal=target_principal, + target_scopes=["https://www.googleapis.com/auth/cloud-platform"], + ) + + impersonated_creds.refresh(google_auth_requests.Request()) Review Comment: This is need's to be done asynchronously. Otherwise it will block the entire triggerer process. ########## airflow/providers/google/cloud/hooks/bigquery.py: ########## @@ -3247,6 +3259,36 @@ def _format_schema_for_description(schema: dict) -> list: return description +class ImpersonationToken: + """Simulate the interface of gcloud.aio.auth.token.BaseToken and generate impersonation_chain access_token.""" + + def __init__(self, project_id: str | None, impersonation_chain: str) -> None: + self.project_id = project_id + self.impersonation_chain = impersonation_chain + + async def get_project(self) -> str | None: + project = ( + self.project_id + or os.environ.get("GOOGLE_CLOUD_PROJECT") + or os.environ.get("GCLOUD_PROJECT") + or os.environ.get("APPLICATION_ID") + ) + return project + + async def get(self) -> str | None: + creds, _ = google.auth.default() Review Comment: I would like to add the `GoogleBaseHook.get_credentials()` probably not only respects impersonation chain set on hook level, but also on connection level. If we can rely on that, then we would need to cover those cases individually. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org