olchas opened a new issue #10596: URL: https://github.com/apache/airflow/issues/10596
<!-- Welcome to Apache Airflow! For a smooth issue process, try to answer the following questions. Don't worry if they're not all applicable; just try to include what you can :-) If you need to include code snippets or logs, please put them in fenced code blocks. If they're super-long, please use the details tag like <details><summary>super-long log</summary> lots of stuff </details> Please delete these comment blocks before submitting the issue. --> **Description** `GKEStartPodOperator`, `DataflowCreateJavaJobOperator` and `DataflowCreatePythonJobOperator` do not support [direct impersonation of a service account in Google services](https://cloud.google.com/iam/docs/understanding-service-accounts#directly_impersonating_a_service_account). **Use case / motivation** `GKEStartPodOperator`, `DataflowCreateJavaJobOperator` and `DataflowCreatePythonJobOperator`, in contrary to other Google operators, do not use `Credentials` class for authentication, so they require individual approach to support direct impersonation in them. In case of `GKEStartPodOperator` it seems it should suffice to add [`--impersonate-service-account`](https://cloud.google.com/sdk/gcloud/reference#--impersonate-service-account) to the [`gcloud container clusters get-credentials` command](https://github.com/apache/airflow/blob/bb3e45c2509bba760f720d60b008f2f71e1024e2/airflow/providers/google/cloud/operators/kubernetes_engine.py#L324). However, this way we will not be able to use chain of service accounts, like in the rest of Google operators. In case of `DataflowCreateJavaJobOperator` and `DataflowCreatePythonJobOperator`, some changes in [`provide_gcp_credential_file_as_context`](https://github.com/apache/airflow/blob/master/airflow/providers/google/common/hooks/base_google.py#L396) will probably be needed. **Related Issues** https://github.com/apache/airflow/issues/8803 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
