mik-laj commented on a change in pull request #19164:
URL: https://github.com/apache/airflow/pull/19164#discussion_r735418664
##########
File path: airflow/providers/google/cloud/utils/credentials_provider.py
##########
@@ -283,6 +289,31 @@ def _get_credentials_using_key_path(self):
project_id = credentials.project_id
return credentials, project_id
+ def _get_credentials_using_key_secret_name(self):
+ self._log_debug('Getting connection using JSON key data from GCP
secret: %s', self.key_secret_name)
+
+ # Use ADC to access GCP Secret Manager.
+ adc_credentials, adc_project_id =
google.auth.default(scopes=self.scopes)
+ secret_manager_client =
_SecretManagerClient(credentials=adc_credentials)
Review comment:
I'm not sure if it's a good idea to store a service account file in
Secret Manager. Have you considered using impersonation to change service
accounts? Thanks to this, you will have a long-lived secret that can leak, but
instead, you will only use a short-lived token, which will expire very quickly
in the event of a leak.
http://airflow.apache.org/docs/apache-airflow/stable/production-deployment.html#impersonate-service-accounts
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
