tvalentyn opened a new issue, #32030: URL: https://github.com/apache/beam/issues/32030
### What happened? The `--impersonate_service_account` option allows a principal to submit Dataflow jobs on behalf of another account in a delegation chain. This option is used when creating a GCP credential at job submission: https://github.com/apache/beam/blob/121ac713fa0aaa41bafa1c49acba5e9800a8faee/sdks/python/apache_beam/internal/gcp/auth.py#L184, and we intentionally remove it out from pipeline options when we are sending the job to the runner: https://github.com/apache/beam/blob/121ac713fa0aaa41bafa1c49acba5e9800a8faee/sdks/python/apache_beam/runners/dataflow/internal/apiclient.py#L278-L285 However some Beam IOs might store a copy of a pipeline options, which contains the impersonation credential. When a pipeline with such IOs becomes serialzed in the Runner API representation, and the IO DoFns deserialize on the runner, we might accidentally capture the `--impersonate_service_account` pipeline option and incorrectly use it at runtime. When this happens, the worker logs might have a line 'Impersonating <... service account name ...> " at runtime. Such logs should only be applicable at job submission. Note that creating an impersonated credential might be necessary at job submission for other purposes than submitting a dataflow job, for example to do pre-submission validations of GCP resources. To this end the PR https://github.com/apache/beam/pull/26662 created a different mechanism to authenticate a BQ client. Unfortunately, it inadvertently caused pipelines using BQ IO to incorrectly execute the impersonation flow at runtime, starting from Apache Beam Python 2.49.0 SDK. ### Issue Priority Priority: 2 (default / most bugs should be filed as P2) ### Issue Components - [X] Component: Python SDK - [ ] Component: Java SDK - [ ] Component: Go SDK - [ ] Component: Typescript SDK - [X] Component: IO connector - [ ] Component: Beam YAML - [ ] Component: Beam examples - [ ] Component: Beam playground - [ ] Component: Beam katas - [ ] Component: Website - [ ] Component: Infrastructure - [ ] Component: Spark Runner - [ ] Component: Flink Runner - [ ] Component: Samza Runner - [ ] Component: Twister2 Runner - [ ] Component: Hazelcast Jet Runner - [ ] Component: Google Cloud Dataflow Runner -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
