mik-laj edited a comment on issue #8803: URL: https://github.com/apache/airflow/issues/8803#issuecomment-660222575
@olchas It seems to me that we should define it at the task level. From the user's point of view, this should be as easy to use as in gcloud. ```bash gcloud \ [email protected] \ --impersonate-service-account=test-ka...@polidea-airflow.iam.gserviceaccount.com \ auth print-access-token ``` There is only one difference. Instead of using the `--account` option, we have `gcp_conn_id`. If you want to play around with it then you can use the script below. ```bash MAIN_ACCOUNT="[email protected]" SECONDARY_ACCOUNT="[email protected]" ACCESS_TOKEN="$(gcloud \ --account=${MAIN_ACCOUNT} \ auth print-access-token)" curl -q "https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=${ACCESS_TOKEN}"; ACCESS_TOKEN="$(gcloud \ --account=${MAIN_ACCOUNT} \ --impersonate-service-account=${SECONDARY_ACCOUNT} \ auth print-access-token)" curl -q "https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=${ACCESS_TOKEN}"; ``` Remember that you need to have the appropriate permissions to use this feature * The main account has access to the secondary account. You can set-up it in the permissions of the secondary account. * The main account has "roles/iam.serviceAccountTokenCreator" role. If you are using gcloud then you might want to enable the options below as well, which will allow you to better understand the flow. ```bash gcloud config set core/log_http true gcloud config set core/log_http_redact_token false ``` Please note that the second option is not described in the public documentation, so be careful. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
