lukas-at-harren commented on issue #22727: URL: https://github.com/apache/airflow/issues/22727#issuecomment-1285095593
Here is the documentation on how to provide identity to a Kubernetes workload (e.g. Deployment). https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity We use workload identity to provide a Google Service Account to our Airflow workers. That SA has the rights to list the cluster and obtain its credentials. Therefore if you call the Google API from within a worker pod that has this workload identity, it will obtain its credentials from so called application default credentials. Read more on application default credentials here: https://cloud.google.com/docs/authentication/application-default-credentials So the „chain“ looks like: Google Service Account for Airflow workers > Has the rights to list and get credentials for the other cluster Airflow cluster (GKE) > provides workload identity to all Airflow workers (using the SA) > Airflow worker then uses application default credentials > The GKEJpbOperator can list the other cluster and obtain its credentials > The GKEJobOperator can schedule a Pod on the other cluster therefore Kind regards, Lukas Rieder –– Data & Cloud Engineer (ext.) On 20. Oct 2022 at 09:44 +0200, jholowaty ***@***.***>, wrote: > Can you give me and example how get the credentials without the cli to the GKEStartPodOperator? Thanks!! > — > Reply to this email directly, view it on GitHub, or unsubscribe. > You are receiving this because you were mentioned.Message ID: ***@***.***> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
