Stephen Reichling created BEAM-1070: ---------------------------------------
Summary: Service Account Based Authentication Broken Key: BEAM-1070 URL: https://issues.apache.org/jira/browse/BEAM-1070 Project: Beam Issue Type: Bug Components: sdk-py Environment: CentOS Linux release 7.1.1503 (Core) Python 2.7.5 Reporter: Stephen Reichling Assignee: Frances Perry Priority: Critical {{sdks/python/apache_beam/internal/auth.py}} calls into the {{oauth2client.service_account.ServiceAccountCredentials.from_p12_keyfile}} method with invalid and incorrectly-ordered parameters. Compare the [function signature of ServiceAccountCredentials.from_p12_keyfile|https://github.com/google/oauth2client/blob/ae73312942d3cf0e98f097dfbb40f136c2a7c463/oauth2client/service_account.py#L300-L303] with [how it is invoked|https://github.com/apache/incubator-beam/blob/9ded359daefc6040d61a1f33c77563474fcb09b6/sdks/python/apache_beam/internal/auth.py#L150-L154]. This causes a runtime error when one attempts to use a service account to authenticate with the Google Dataflow APIs. The specific problems are: - the {{client_scopes}} variable (a list) is passed as a positional parameter where the function signature expects the {{private_key_password}} parameter (a string). - a keyed parameter, {{user_agent}}, is passed but no such parameter is defined in the function signature. - no value is provided for {{private_key_password}}. All p12 key files for service accounts issued by Google Cloud have the password {{notasecret}} as documented [here|https://support.google.com/cloud/answer/6158849?hl=en#serviceaccounts], so it's currently not possible to use a Google-issued p12 key file with this implementation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)