melugoyal commented on PR #35694:
URL: https://github.com/apache/airflow/pull/35694#issuecomment-1823578502
test DAG:
```
from airflow.providers.google.cloud.operators.gcs import
GCSCreateBucketOperator
from airflow import DAG
from datetime import datetime
with DAG(
dag_id="gcp-test", schedule="@once", start_date=datetime(2023, 1, 1),
is_paused_upon_creation=False, catchup=False
) as dag:
GCSCreateBucketOperator(
task_id="gcscreate",
bucket_name="test-mehulg",
gcp_conn_id="gcp_test",
impersonation_chain="[email protected]",
)
```
with connection `gcp_test` specified without the `impersonation_chain` set:
` File
"/usr/local/lib/python3.11/site-packages/google/auth/impersonated_credentials.py",
line 100, in _make_iam_token_request
raise exceptions.RefreshError(_REFRESH_ERROR, response_body)
google.auth.exceptions.RefreshError: (\'Unable to acquire impersonated
credentials\', \'{\
"error": {\
"code": 404,\
"message": "Not found; Gaia id not found for email
[email protected]",\
"status": "NOT_FOUND"\
}\
}\
\')`
so it attempted to use `[email protected]`
from the DAG code. note the error is expected, since that is a fake service
account and i'm not actually setting up any IAM policies
with impersonation_chain in connection `gcp_test` set to
`[email protected]`
<img width="693" alt="image"
src="https://github.com/apache/airflow/assets/4218638/eb7d0681-91e5-46fd-97be-575e60a28aef";>
`File
"/usr/local/lib/python3.11/site-packages/google/auth/impersonated_credentials.py",
line 100, in _make_iam_token_request
raise exceptions.RefreshError(_REFRESH_ERROR, response_body)
google.auth.exceptions.RefreshError: (\'Unable to acquire impersonated
credentials\', \'{\
"error": {\
"code": 404,\
"message": "Not found; Gaia id not found for email
[email protected]",\
"status": "NOT_FOUND"\
}\
}\
\')`, same error, indicating that as expected the `impersonation_chain` from
the code takes precedence.
now redeployed the DAG removing the impersonation_chain specified in code:
`File
"/usr/local/lib/python3.11/site-packages/google/auth/impersonated_credentials.py",
line 100, in _make_iam_token_request
raise exceptions.RefreshError(_REFRESH_ERROR, response_body)
google.auth.exceptions.RefreshError: (\'Unable to acquire impersonated
credentials\', \'{\
"error": {\
"code": 404,\
"message": "Not found; Gaia id not found for email
[email protected]",\
"status": "NOT_FOUND"\
}\
}\
\')`
as expected, it attempted to use the service account specified in the
connection.
with impersonation chain in `gcp_test` updated to
`[email protected],
[email protected]`
<img width="1093" alt="image"
src="https://github.com/apache/airflow/assets/4218638/b3497eff-513a-4e8b-a8d1-7eb7f621e814";>
`File
"/usr/local/lib/python3.11/site-packages/google/auth/impersonated_credentials.py",
line 100, in _make_iam_token_request
raise exceptions.RefreshError(_REFRESH_ERROR, response_body)
google.auth.exceptions.RefreshError: (\'Unable to acquire impersonated
credentials\', \'{\
"error": {\
"code": 404,\
"message": "Not found; Gaia id not found for email
[email protected]",\
"status": "NOT_FOUND"\
}\
}\
\')`
as expected, it attempted to use the first service account specified in the
connection
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
