You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2019/05/06 13:24:00 UTC
[jira] [Commented] (AIRFLOW-2522) Cannot use
GOOGLE_APPLICATION_CREDENTIALS to authenticate for GCP connections
[ https://issues.apache.org/jira/browse/AIRFLOW-2522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16833819#comment-16833819 ]
ASF subversion and git services commented on AIRFLOW-2522:
----------------------------------------------------------
Commit 26fdd902731d70770e3498a2d2112d025e45553b in airflow's branch refs/heads/master from OmerJog
[ https://gitbox.apache.org/repos/asf?p=airflow.git;h=26fdd90 ]
[AIRFLOW-XXX] Remove incorrect note about Scopes of GCP connection (#5242)
The issue raised in https://issues.apache.org/jira/browse/AIRFLOW-2522 was resolved.
Scope is not ignored when default credentials are used. This note should be deleted.
Scope is read in:
https://github.com/apache/airflow/blob/master/airflow/contrib/hooks/gcp_api_base_hook.py#L88-L92
When default credentails is used, then this code is used:
https://github.com/apache/airflow/blob/master/airflow/contrib/hooks/gcp_api_base_hook.py#L94-L97
so scope is passed to the external library.
> Cannot use GOOGLE_APPLICATION_CREDENTIALS to authenticate for GCP connections
> -----------------------------------------------------------------------------
>
> Key: AIRFLOW-2522
> URL: https://issues.apache.org/jira/browse/AIRFLOW-2522
> Project: Apache Airflow
> Issue Type: Bug
> Components: contrib
> Reporter: Tim Swast
> Assignee: Tim Swast
> Priority: Major
> Fix For: 1.10.0, 2.0.0
>
>
> If you try to use the GOOGLE_APPLICATION_CREDENTIALS environment variable with a service account key to authenticate to Google Cloud, as described at [https://cloud.google.com/docs/authentication/production] you get an error "HttpAccessTokenRefreshError: invalid_scope: Empty or missing scope not allowed."
> This error occurs even if you fill in the scope field of the GCP connection.
> The root cause is that scopes are ignored by the GCP hook when using application default credentials. They should not be ignored when the default credentials are using a service account. (And probably shouldn't be ignored at all, preferring an error when scopes are filled in but don't apply to the credential type)
> I'll try to fix this while I'm working on https://issues.apache.org/jira/projects/AIRFLOW/issues/AIRFLOW-2512.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)