olchas commented on issue #9461: URL: https://github.com/apache/airflow/issues/9461#issuecomment-662015775
@mik-laj I am still looking into it. The name suggests that domain-wide delegation only makes sense for G Suite applications (so in terms of Airflow it should only be applied to `GoogleDriveHook` and `GSheetsHook`), but [this article](https://medium.com/google-cloud/impersonating-users-with-google-cloud-platform-service-accounts-ba762db09092) calls it a legacy branding and tells that it applies to Cloud Identity as well. I am also still uncertain about how the two impersonation mechanisms can/should work together. As far as I can tell, domain-wide delegation is supposed to be used to impersonate **user account** using service account, while direct impersonation can be used to impersonate **service account** using **either** another service account **or** user account. So, I can see two scenarios: 1. You start with a service/user account that you use to directly impersonate some service account, that is then used to perform domain-wide delegation on some user. 1. You start by performing domain-wide delegation on some user, and then use this user to impersonate some service account. However, `Credentials` class from [google.auth.impersonated_credentials module](https://google-auth.readthedocs.io/en/latest/reference/google.auth.impersonated_credentials.html) does not have `with_subject` method, so apparently it is impossible to use directly impersonated account to perform domain-wide delegation of authority, which renders first scenario impossible. On the other hand, it seems you can specify the delegate for source credentials and then use these credentials for direct impersonation as in scenario 2, but I did not have a chance to test it. @jaketf, @amithmathew, do you perhaps have more insight on the topic? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
