mik-laj edited a comment on issue #8803:
URL: https://github.com/apache/airflow/issues/8803#issuecomment-660222575


   @olchas It seems to me that we should define it at the task level.  From the 
user's point of view, this should be as easy to use as in gcloud.
   ```bash
   gcloud \
   [email protected] \
   
--impersonate-service-account=test-ka...@polidea-airflow.iam.gserviceaccount.com
 \
   auth print-access-token
   ```
   There is only one difference. Instead of using the `--account` option, we 
have `gcp_conn_id`.
   
   If you want to play around with it then you can use the script below.
   ```bash
   MAIN_ACCOUNT="[email protected]"
   SECONDARY_ACCOUNT="[email protected]"
   
   ACCESS_TOKEN="$(gcloud \
       --account=${MAIN_ACCOUNT} \
       auth print-access-token)"
   curl -q 
"https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=${ACCESS_TOKEN}";
   
   ACCESS_TOKEN="$(gcloud \
       --account=${MAIN_ACCOUNT} \
       --impersonate-service-account=${SECONDARY_ACCOUNT} \
       auth print-access-token)"
   curl -q 
"https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=${ACCESS_TOKEN}";
   ```
   
   Remember that you need to have the appropriate permissions to use this 
feature
   * The main account has access to the secondary account. You can set-up it in 
the permissions of the secondary account.
   * The main account has "roles/iam.serviceAccountTokenCreator" role.
   
   If you are using gcloud then you might want to enable the options below as 
well, which will allow you to better understand the flow.
   ```bash
   gcloud config set core/log_http true
   gcloud config set core/log_http_redact_token false
   ```
   Please note that the second option is not described in the public 
documentation, so be careful.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


Reply via email to