[GitHub] [airflow] mik-laj commented on a change in pull request #19164: Add support in GCP connection for reading key from Secret Manager

Mon, 25 Oct 2021 17:43:45 -0700 


mik-laj commented on a change in pull request #19164:
URL: https://github.com/apache/airflow/pull/19164#discussion_r736061339



##########
File path: airflow/providers/google/cloud/utils/credentials_provider.py
##########
@@ -283,6 +289,31 @@ def _get_credentials_using_key_path(self):
         project_id = credentials.project_id
         return credentials, project_id
 
+    def _get_credentials_using_key_secret_name(self):
+        self._log_debug('Getting connection using JSON key data from GCP 
secret: %s', self.key_secret_name)
+
+        # Use ADC to access GCP Secret Manager.
+        adc_credentials, adc_project_id = 
google.auth.default(scopes=self.scopes)
+        secret_manager_client = 
_SecretManagerClient(credentials=adc_credentials)

Review comment:
       > key file path to GCS and enconded key data.
   
   These configuration options are mainly intended for non-GCP environments 
where you do not have access to the GCP metaserver.
   
   > Also, currently impersonation doesn't work for all GCP operators
   
   Only 5 operators are not supported. And `GKEStartPodOperator` is relatively 
easy to fix. Just add 
[`--impersonate-service-account`](https://cloud.google.com/sdk/gcloud/reference#--impersonate-service-account)
 option to the gcloud call.
   
https://github.com/apache/airflow/blob/87769db98f963338855f59cfc440aacf68e008c9/airflow/providers/google/cloud/operators/kubernetes_engine.py#L342-L352
   In the case of Google Dataflow, Apache Beam is a limitation, so we should at 
least submit a feature request before we start implementing workarounds.
   
   I am also wondering, might it not be a better idea to use [Google Cloud 
Secret Manager 
Backend](http://airflow.apache.org/docs/apache-airflow-providers-google/stable/secrets-backends/google-cloud-secret-manager-backend.html)?
  It allows you to store all the connection in the backend secret, and in case 
it is not found, it checks the database also.
   




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to