winding-lines commented on code in PR #3541:
URL: https://github.com/apache/arrow-rs/pull/3541#discussion_r1085338917
##########
object_store/src/gcp/mod.rs:
##########
@@ -1098,44 +1083,71 @@ impl GoogleCloudStorageBuilder {
let client = self.client_options.client()?;
- let credentials = match (self.service_account_path,
self.service_account_key) {
- (Some(path), None) => reader_credentials_file(path)?,
- (None, Some(key)) => {
- serde_json::from_str(&key).context(DecodeCredentialsSnafu)?
- }
- (None, None) => return
Err(Error::MissingServiceAccountPathOrKey.into()),
- (Some(_), Some(_)) => {
- return Err(Error::ServiceAccountPathAndKeyProvided.into())
- }
- };
+ // First try to initialize from the service account information.
+ let service_account_credentials =
+ match (self.service_account_path, self.service_account_key) {
+ (Some(path), None) => Some(
+ ServiceAccountCredentials::from_file(path)
+ .context(CredentialSnafu)?,
+ ),
+ (None, Some(key)) => Some(
+
ServiceAccountCredentials::from_key(&key).context(CredentialSnafu)?,
+ ),
+ (None, None) => None,
+ (Some(_), Some(_)) => {
+ return Err(Error::ServiceAccountPathAndKeyProvided.into())
+ }
+ };
+
+ // Then try to initialize from the application credentials file, or
the environment.
+ let application_default_credentials =
ApplicationDefaultCredentials::new(
+ self.application_credentials_path.as_deref(),
+ )
+ .context(CredentialSnafu)?;
+
+ let disable_oauth = service_account_credentials
+ .as_ref()
+ .map(|c| c.disable_oauth)
+ .unwrap_or(false);
+
+ let gcs_base_url = service_account_credentials
+ .as_ref()
+ .map(|c| c.gcs_base_url.clone())
+ .unwrap_or_else(default_gcs_base_url);
// TODO:
https://cloud.google.com/storage/docs/authentication#oauth-scopes
let scope = "https://www.googleapis.com/auth/devstorage.full_control";;
- let audience =
"https://www.googleapis.com/oauth2/v4/token".to_string();
-
- let oauth_provider = (!credentials.disable_oauth)
- .then(|| {
- OAuthProvider::new(
- credentials.client_email,
- credentials.private_key,
- scope.to_string(),
- audience,
- )
- })
- .transpose()
- .context(CredentialSnafu)?;
+ let audience = "https://www.googleapis.com/oauth2/v4/token";;
+
+ let token_provider = if disable_oauth {
+ None
+ } else {
+ let best_provider = service_account_credentials
+ .map(|credentials| credentials.token_provider(scope, audience))
+ .transpose()
+ .context(CredentialSnafu)?
+ .or_else(|| {
+ application_default_credentials
+ .map(|a| Box::new(a) as Box<dyn TokenProvider>)
+ })
+ .or_else(||
Some(Box::new(InstanceCredentialProvider::new(audience))));
+
+ // A provider is required at this point, bail out if we don't have
one.
+ if best_provider.is_some() {
+ best_provider
+ } else {
+ return Err(Error::MissingCredentials.into());
+ }
Review Comment:
Duh :) Thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
