Refactor GS authentication to use default credentials #514
Conversation
…torage client This enables federated identity Updates HISTORY.md
|
Thanks for the patience @ljyanesm. I am wondering if this logic works: # don't check `GOOGLE_APPLICATION_CREDENTIALS` since `google_default_auth` already does that
# use explicit client
if storage_client is not None:
self.client = storage_client
# use explicit credentials
elif credentials is not None:
self.client = StorageClient(credentials=credentials, project=project)
# use explicit credential file
elif application_credentials is not None:
self.client = StorageClient.from_service_account_json(application_credentials)
# use default credentials based on SDK precedence
else:
try:
# use `google_default_auth` instead of `StorageClient()` since it
# handles precedence of creds in different locations properly
credentials, default_project = google_default_auth()
project = project or default_project # use explicit project if present
self.client = StorageClient(credentials=credentials, project=project)
except DefaultCredentialsError:
self.client = StorageClient.create_anonymous_client()Also, can we update the docstring with whatever the precedence method we implement is and links to the google docs that explain what the SDK does? |
|
Thanks @pjbull, just checked identity federation auth is working as well as key based auth. |
Codecov Report❌ Patch coverage is
❌ Your patch status has failed because the patch coverage (50.0%) is below the target coverage (80.0%). You can increase the patch coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## 514-local #514 +/- ##
===========================================
- Coverage 93.4% 92.3% -1.1%
===========================================
Files 23 23
Lines 1800 1801 +1
===========================================
- Hits 1682 1664 -18
- Misses 118 137 +19
🚀 New features to boost your workflow:
|
|
@ljyanesm Not sure yet, but first look at failing tests suggests we may need to mock an additional part of the Google SDK to make the mocked tests work. If you can repro locally and take a look that'd be great. |
I've tried to repro matching the python version (3.13), but could not get a repro locally. In fact, locally only |
|
@ljyanesm New method is too smart! In order to repro, I needed to:
After doing that on MacOS with Python 3.13 I get the same error as the test suite. I don't have the time to look into a fix quite yet, but maybe this could unblock you to investigate. Thanks! |
|
Merging into a local branch to finish this PR |
* Refactor authentication to use default credentials for Google Cloud Storage client This enables federated identity Updates HISTORY.md * Keeps same functionality for API whilst enhancing the env var alternative * Simplifies credential handling logic, and updates docstring * Updates HISTORY.md --------- Co-authored-by: ljyanesm <[email protected]>
* Refactor GS authentication to use default credentials (#514) * Refactor authentication to use default credentials for Google Cloud Storage client This enables federated identity Updates HISTORY.md * Keeps same functionality for API whilst enhancing the env var alternative * Simplifies credential handling logic, and updates docstring * Updates HISTORY.md --------- Co-authored-by: ljyanesm <[email protected]> * bonus: test fixes and docs * Mock default auth * fix history --------- Co-authored-by: Luis Yanes <[email protected]> Co-authored-by: ljyanesm <[email protected]>
This enables federated identity, there's a caveat to this PR which the maintainers may want to be aware of around the validation of the
GOOGLE_APPLICATION_CREDENTIALS.See https://cloud.google.com/docs/authentication/client-libraries#validate_other_credential_configurations for further details.
Closes #390
Contributor checklist:
CONTRIBUTING.mdCloses #issueappears in the PR summary (e.g.,Closes #123).HISTORY.mdwith the issue that is addressed and the PR you are submitting. If the top section is not `## UNRELEASED``, then you need to add a new section to the top of the document for your change.