You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2019/05/06 13:24:00 UTC

[jira] [Commented] (AIRFLOW-2522) Cannot use GOOGLE_APPLICATION_CREDENTIALS to authenticate for GCP connections

    [ https://issues.apache.org/jira/browse/AIRFLOW-2522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16833819#comment-16833819 ] 

ASF subversion and git services commented on AIRFLOW-2522:
----------------------------------------------------------

Commit 26fdd902731d70770e3498a2d2112d025e45553b in airflow's branch refs/heads/master from OmerJog
[ https://gitbox.apache.org/repos/asf?p=airflow.git;h=26fdd90 ]

[AIRFLOW-XXX] Remove incorrect note about Scopes of GCP connection (#5242)

The issue raised in https://issues.apache.org/jira/browse/AIRFLOW-2522 was resolved.
Scope is not ignored when default credentials are used. This note should be deleted.

Scope is read in:
https://github.com/apache/airflow/blob/master/airflow/contrib/hooks/gcp_api_base_hook.py#L88-L92
When default credentails is used, then this code is used:
https://github.com/apache/airflow/blob/master/airflow/contrib/hooks/gcp_api_base_hook.py#L94-L97
so scope is passed to the external library.

> Cannot use GOOGLE_APPLICATION_CREDENTIALS to authenticate for GCP connections
> -----------------------------------------------------------------------------
>
>                 Key: AIRFLOW-2522
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-2522
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: contrib
>            Reporter: Tim Swast
>            Assignee: Tim Swast
>            Priority: Major
>             Fix For: 1.10.0, 2.0.0
>
>
> If you try to use the GOOGLE_APPLICATION_CREDENTIALS environment variable with a service account key to authenticate to Google Cloud, as described at [https://cloud.google.com/docs/authentication/production] you get an error "HttpAccessTokenRefreshError: invalid_scope: Empty or missing scope not allowed."
> This error occurs even if you fill in the scope field of the GCP connection.
> The root cause is that scopes are ignored by the GCP hook when using application default credentials. They should not be ignored when the default credentials are using a service account. (And probably shouldn't be ignored at all, preferring an error when scopes are filled in but don't apply to the credential type)
> I'll try to fix this while I'm working on https://issues.apache.org/jira/projects/AIRFLOW/issues/AIRFLOW-2512.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)