[jira] [Work logged] (BEAM-12641) Support GCP auth using custom token URIs

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/BEAM-12641?focusedWorklogId=645046&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-645046
 ]

ASF GitHub Bot logged work on BEAM-12641:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 01/Sep/21 09:30
            Start Date: 01/Sep/21 09:30
    Worklog Time Spent: 10m 
      Work Description: chunyang commented on a change in pull request #15004:
URL: https://github.com/apache/beam/pull/15004#discussion_r699685121



##########
File path: sdks/python/apache_beam/internal/gcp/auth.py
##########
@@ -115,29 +131,32 @@ def get_service_credentials(cls):
 
   @staticmethod
   def _get_service_credentials():
-    if is_running_in_gce:
-      # We are currently running as a GCE taskrunner worker.
-      return _GceAssertionCredentials(user_agent='beam-python-sdk/1.0')

Review comment:
       Thanks for the review @tvalentyn. My understanding is that the 
`google.auth.default()` call in [line 
151](https://github.com/apache/beam/pull/15004/files#diff-21a78a52eca0c898070d58302127a9bb5cdb5de512ec16b9b3d945e0b84b694cR151)
 will attempt to find credentials on GCE VMs using the instance Metadata Server 
so we don't need a special case within the Beam code. Is this something we can 
check via the existing integration tests?
   
   
https://github.com/googleapis/google-auth-library-python/blob/08c987d0215c9d3e230efe5b7c13e6b8197267bc/google/auth/_default.py#L386-L389




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscr...@beam.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 645046)
    Time Spent: 3h 10m  (was: 3h)

> Support GCP auth using custom token URIs
> ----------------------------------------
>
>                 Key: BEAM-12641
>                 URL: https://issues.apache.org/jira/browse/BEAM-12641
>             Project: Beam
>          Issue Type: Improvement
>          Components: sdk-py-core
>            Reporter: Chun Yang
>            Assignee: Chun Yang
>            Priority: P3
>              Labels: auth, gcp, python
>          Time Spent: 3h 10m
>  Remaining Estimate: 0h
>
> Feature request: Allow authenticating to GCP with service account credentials 
> that use a custom token URI.
> {quote}We use the {{service_account}} credential type. Older versions 
> (oauth2client) supported this type, BUT they only supported using google 
> endpoints for issuing credentials, where we use a custom {{token_uri}} to 
> issue credentials. New versions (google-auth) will reference our custom 
> {{token_uri}}.{quote}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)