(nifi) branch main updated: NIFI-15734 Fix GCP PubSub/BigQuery scope for Workload Identity with I… (#11026)

pvillard Fri, 20 Mar 2026 08:43:22 -0700

This is an automated email from the ASF dual-hosted git repository.

pvillard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git



The following commit(s) were added to refs/heads/main by this push:
     new ff1473a8dde NIFI-15734 Fix GCP PubSub/BigQuery scope for Workload 
Identity with I… (#11026)
ff1473a8dde is described below

commit ff1473a8dde419b343d67dd957c1d5cabb7d9766
Author: Shubham Sharma <[email protected]>
AuthorDate: Fri Mar 20 11:43:10 2026 -0400

    NIFI-15734 Fix GCP PubSub/BigQuery scope for Workload Identity with I… 
(#11026)
    
    Changed credential scope from service-specific scopes (pubsub/bigquery) to 
cloud-platform scope to support IAM Credentials API calls required for service 
account impersonation in Workload Identity Federation setups.
---
 .../nifi/processors/gcp/bigquery/AbstractBigQueryProcessor.java       | 4 ++--
 .../java/org/apache/nifi/processors/gcp/drive/FetchGoogleDrive.java   | 4 ++--
 .../java/org/apache/nifi/processors/gcp/drive/ListGoogleDrive.java    | 4 ++--
 .../java/org/apache/nifi/processors/gcp/drive/PutGoogleDrive.java     | 4 ++--
 .../apache/nifi/processors/gcp/pubsub/AbstractGCPubSubProcessor.java  | 4 ++--
 .../main/java/org/apache/nifi/processors/gcp/util/GoogleUtils.java    | 2 --
 6 files changed, 10 insertions(+), 12 deletions(-)

diff --git 
a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/bigquery/AbstractBigQueryProcessor.java
 
b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/bigquery/AbstractBigQueryProcessor.java
index d4d48ad28b0..7104d766d2d 100644
--- 
a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/bigquery/AbstractBigQueryProcessor.java
+++ 
b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/bigquery/AbstractBigQueryProcessor.java
@@ -46,7 +46,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
-import static 
org.apache.nifi.processors.gcp.util.GoogleUtils.GOOGLE_CLOUD_BIGQUERY_SCOPE;
+import static 
org.apache.nifi.processors.gcp.util.GoogleUtils.GOOGLE_CLOUD_PLATFORM_SCOPE;
 
 /**
  * Base class for creating processors that connect to GCP BiqQuery service
@@ -101,7 +101,7 @@ public abstract class AbstractBigQueryProcessor extends 
AbstractGCPProcessor<Big
 
     @Override
     protected GoogleCredentials getGoogleCredentials(ProcessContext context) {
-        return 
super.getGoogleCredentials(context).createScoped(GOOGLE_CLOUD_BIGQUERY_SCOPE);
+        return 
super.getGoogleCredentials(context).createScoped(GOOGLE_CLOUD_PLATFORM_SCOPE);
     }
 
     @Override
diff --git 
a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/drive/FetchGoogleDrive.java
 
b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/drive/FetchGoogleDrive.java
index 3db2d6fd699..bc635a004ef 100644
--- 
a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/drive/FetchGoogleDrive.java
+++ 
b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/drive/FetchGoogleDrive.java
@@ -22,7 +22,6 @@ import com.google.api.client.http.HttpRequest;
 import com.google.api.client.http.HttpRequestFactory;
 import com.google.api.client.http.HttpResponse;
 import com.google.api.services.drive.Drive;
-import com.google.api.services.drive.DriveScopes;
 import com.google.api.services.drive.model.File;
 import com.google.api.services.drive.model.User;
 import org.apache.nifi.annotation.behavior.InputRequirement;
@@ -96,6 +95,7 @@ import static 
org.apache.nifi.processors.gcp.drive.GoogleDriveAttributes.WEB_CON
 import static 
org.apache.nifi.processors.gcp.drive.GoogleDriveAttributes.WEB_CONTENT_LINK_DESC;
 import static 
org.apache.nifi.processors.gcp.drive.GoogleDriveAttributes.WEB_VIEW_LINK;
 import static 
org.apache.nifi.processors.gcp.drive.GoogleDriveAttributes.WEB_VIEW_LINK_DESC;
+import static 
org.apache.nifi.processors.gcp.util.GoogleUtils.GOOGLE_CLOUD_PLATFORM_SCOPE;
 
 @InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED)
 @Tags({"google", "drive", "storage", "fetch"})
@@ -304,7 +304,7 @@ public class FetchGoogleDrive extends AbstractProcessor 
implements GoogleDriveTr
         driveService = createDriveService(
                 context,
                 new ProxyAwareTransportFactory(proxyConfiguration).create(),
-                DriveScopes.DRIVE, DriveScopes.DRIVE_FILE
+                GOOGLE_CLOUD_PLATFORM_SCOPE
         );
     }
 
diff --git 
a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/drive/ListGoogleDrive.java
 
b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/drive/ListGoogleDrive.java
index 3d114555fbc..cf8857c6864 100644
--- 
a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/drive/ListGoogleDrive.java
+++ 
b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/drive/ListGoogleDrive.java
@@ -18,7 +18,6 @@ package org.apache.nifi.processors.gcp.drive;
 
 import com.google.api.client.http.HttpTransport;
 import com.google.api.services.drive.Drive;
-import com.google.api.services.drive.DriveScopes;
 import com.google.api.services.drive.model.File;
 import com.google.api.services.drive.model.FileList;
 import com.google.api.services.drive.model.User;
@@ -102,6 +101,7 @@ import static 
org.apache.nifi.processors.gcp.drive.GoogleDriveAttributes.WEB_CON
 import static 
org.apache.nifi.processors.gcp.drive.GoogleDriveAttributes.WEB_CONTENT_LINK_DESC;
 import static 
org.apache.nifi.processors.gcp.drive.GoogleDriveAttributes.WEB_VIEW_LINK;
 import static 
org.apache.nifi.processors.gcp.drive.GoogleDriveAttributes.WEB_VIEW_LINK_DESC;
+import static 
org.apache.nifi.processors.gcp.util.GoogleUtils.GOOGLE_CLOUD_PLATFORM_SCOPE;
 
 @PrimaryNodeOnly
 @TriggerSerially
@@ -229,7 +229,7 @@ public class ListGoogleDrive extends 
AbstractListProcessor<GoogleDriveFileInfo>
 
         HttpTransport httpTransport = new 
ProxyAwareTransportFactory(proxyConfiguration).create();
 
-        driveService = createDriveService(context, httpTransport, 
DriveScopes.DRIVE, DriveScopes.DRIVE_METADATA_READONLY);
+        driveService = createDriveService(context, httpTransport, 
GOOGLE_CLOUD_PLATFORM_SCOPE);
     }
 
     @Override
diff --git 
a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/drive/PutGoogleDrive.java
 
b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/drive/PutGoogleDrive.java
index 581d3e9898d..da7b2a9b699 100644
--- 
a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/drive/PutGoogleDrive.java
+++ 
b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/drive/PutGoogleDrive.java
@@ -26,7 +26,6 @@ import com.google.api.client.http.InputStreamContent;
 import com.google.api.client.util.DateTime;
 import com.google.api.services.drive.Drive;
 import com.google.api.services.drive.DriveRequest;
-import com.google.api.services.drive.DriveScopes;
 import com.google.api.services.drive.model.File;
 import com.google.api.services.drive.model.FileList;
 import org.apache.nifi.annotation.behavior.InputRequirement;
@@ -101,6 +100,7 @@ import static 
org.apache.nifi.processors.gcp.drive.GoogleDriveAttributes.SIZE_DE
 import static 
org.apache.nifi.processors.gcp.drive.GoogleDriveAttributes.TIMESTAMP;
 import static 
org.apache.nifi.processors.gcp.drive.GoogleDriveAttributes.TIMESTAMP_DESC;
 import static 
org.apache.nifi.processors.gcp.util.GoogleUtils.GCP_CREDENTIALS_PROVIDER_SERVICE;
+import static 
org.apache.nifi.processors.gcp.util.GoogleUtils.GOOGLE_CLOUD_PLATFORM_SCOPE;
 
 @SeeAlso({ListGoogleDrive.class, FetchGoogleDrive.class})
 @InputRequirement(Requirement.INPUT_REQUIRED)
@@ -317,7 +317,7 @@ public class PutGoogleDrive extends AbstractProcessor 
implements GoogleDriveTrai
 
         final HttpTransport httpTransport = new 
ProxyAwareTransportFactory(proxyConfiguration).create();
 
-        driveService = createDriveService(context, httpTransport, 
DriveScopes.DRIVE, DriveScopes.DRIVE_METADATA);
+        driveService = createDriveService(context, httpTransport, 
GOOGLE_CLOUD_PLATFORM_SCOPE);
     }
 
     @Override
diff --git 
a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/pubsub/AbstractGCPubSubProcessor.java
 
b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/pubsub/AbstractGCPubSubProcessor.java
index b2daf96a320..45e6cd77fcd 100644
--- 
a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/pubsub/AbstractGCPubSubProcessor.java
+++ 
b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/pubsub/AbstractGCPubSubProcessor.java
@@ -44,7 +44,7 @@ import java.util.Collection;
 import java.util.HashSet;
 import java.util.Set;
 
-import static 
org.apache.nifi.processors.gcp.util.GoogleUtils.GOOGLE_CLOUD_PUBSUB_SCOPE;
+import static 
org.apache.nifi.processors.gcp.util.GoogleUtils.GOOGLE_CLOUD_PLATFORM_SCOPE;
 
 public abstract class AbstractGCPubSubProcessor extends AbstractGCPProcessor 
implements VerifiableProcessor {
 
@@ -139,7 +139,7 @@ public abstract class AbstractGCPubSubProcessor extends 
AbstractGCPProcessor imp
 
     @Override
     protected GoogleCredentials getGoogleCredentials(ProcessContext context) {
-        return 
super.getGoogleCredentials(context).createScoped(GOOGLE_CLOUD_PUBSUB_SCOPE);
+        return 
super.getGoogleCredentials(context).createScoped(GOOGLE_CLOUD_PLATFORM_SCOPE);
     }
 
     protected TransportChannelProvider 
getTransportChannelProvider(ProcessContext context) {
diff --git 
a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/util/GoogleUtils.java
 
b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/util/GoogleUtils.java
index e9198244da5..f138e277dad 100644
--- 
a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/util/GoogleUtils.java
+++ 
b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/util/GoogleUtils.java
@@ -22,8 +22,6 @@ import 
org.apache.nifi.gcp.credentials.service.GCPCredentialsService;
 public class GoogleUtils {
 
     public static final String GOOGLE_CLOUD_PLATFORM_SCOPE = 
"https://www.googleapis.com/auth/cloud-platform";;
-    public static final String GOOGLE_CLOUD_PUBSUB_SCOPE = 
"https://www.googleapis.com/auth/pubsub";;
-    public static final String GOOGLE_CLOUD_BIGQUERY_SCOPE = 
"https://www.googleapis.com/auth/bigquery";;
     public static final String 
OLD_GCP_CREDENTIALS_PROVIDER_SERVICE_PROPERTY_NAME = 
"gcp-credentials-provider-service";
 
     /**

(nifi) branch main updated: NIFI-15734 Fix GCP PubSub/BigQuery scope for Workload Identity with I… (#11026)

Reply via email to