vchiapaikeo commented on PR #28763:
URL: https://github.com/apache/airflow/pull/28763#issuecomment-1377456226
Hi @rajaths010494 @kaxil - I wanted to point out a possible bug that is
introduced here - it seems like using this approach:
```py
async def get_storage_client(self, session: ClientSession) -> Storage:
"""Returns a Google Cloud Storage service object."""
with await self.service_file_as_context() as file:
return Storage(service_file=file, session=cast(Session, session))
```
does not honor the impersonation_chain when application default credentials
(ADC) are being used. We've tried a similar approach from astronomer-providers
and encountered issues on our end. I believe this is because in the case that
`await self.service_file_as_context() as file` yields None (the fall through
[here](https://github.com/apache/airflow/blob/284cd529898fbadd14308004a0b0cb6f389b4318/airflow/providers/google/common/hooks/base_google.py#L484-L513)),
the async storage client gets instantiated with this:
```
return Storage(service_file=None, session=cast(Session, session))
```
TalkIQ's async io storage client has no idea of the impersonation chain on
instantiation here -->
https://github.com/talkiq/gcloud-aio/blob/4e0006240913ecadde68722b8986f184a9b1adea/storage/gcloud/aio/storage/storage.py#L149-L168
And as a result, the token gets instantiated with ADC without regard for
impersonation chain.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
