Conversation
for more information, see https://pre-commit.ci
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for Earth Engine service account authentication via the EE_SERVICE_ACCOUNT environment variable, providing an alternative authentication method to the existing token-based and interactive authentication modes.
Key changes:
- Adds service account authentication flow that parses JSON credentials from
EE_SERVICE_ACCOUNTenvironment variable - Extracts
client_emailfrom the service account JSON and initializes Earth Engine with service account credentials - Positions this authentication method as the first priority in the authentication chain (checked before token-based auth)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| try: | ||
| email = json.loads(key_data)["client_email"] | ||
| except json.JSONDecodeError as e: | ||
| raise ValueError(f"Invalid JSON for key_data: {e}") |
There was a problem hiding this comment.
The error message references key_data which is an internal variable name. For better user experience, consider referencing the environment variable name instead: "Invalid JSON in EE_SERVICE_ACCOUNT environment variable: {e}"
| raise ValueError(f"Invalid JSON for key_data: {e}") | |
| raise ValueError(f"Invalid JSON in EE_SERVICE_ACCOUNT environment variable: {e}") |
| except json.JSONDecodeError as e: | ||
| raise ValueError(f"Invalid JSON for key_data: {e}") | ||
| except KeyError: | ||
| raise ValueError("key_data JSON does not contain 'client_email'") |
There was a problem hiding this comment.
The error message references key_data which is an internal variable name. For better user experience, consider referencing the environment variable name instead: "EE_SERVICE_ACCOUNT JSON does not contain 'client_email'"
| raise ValueError("key_data JSON does not contain 'client_email'") | |
| raise ValueError("EE_SERVICE_ACCOUNT JSON does not contain 'client_email'") |
| except KeyError: | ||
| raise ValueError("key_data JSON does not contain 'client_email'") | ||
| credentials = ee.ServiceAccountCredentials(email=email, key_data=key_data) | ||
| ee.Initialize(credentials) |
There was a problem hiding this comment.
The ee.Initialize() call doesn't pass the **kwargs parameter, unlike the other authentication paths (e.g., line 106). This means users cannot pass additional parameters like opt_url for the High-Volume platform when using service account authentication. Consider changing to ee.Initialize(credentials, **kwargs) for consistency.
| ee.Initialize(credentials) | |
| ee.Initialize(credentials, **kwargs) |
| if get_env_var("EE_SERVICE_ACCOUNT") is not None: | ||
|
|
||
| key_data = get_env_var("EE_SERVICE_ACCOUNT") | ||
|
|
There was a problem hiding this comment.
The variable key_data is redundantly assigned. Line 79 already checks that get_env_var("EE_SERVICE_ACCOUNT") is not None, so the result can be stored directly without calling get_env_var again. Consider storing it in a variable on line 79 to avoid the duplicate call.
| if get_env_var("EE_SERVICE_ACCOUNT") is not None: | |
| key_data = get_env_var("EE_SERVICE_ACCOUNT") | |
| key_data = get_env_var("EE_SERVICE_ACCOUNT") | |
| if key_data is not None: |
|
🚀 Deployed on https://691166cd8083308944e4697f--opengeos.netlify.app |
Fix #2234
This PR adds support for EE service account authentication via the
EE_SERVICE_ACCOUNTenvironment variable, resolving the EE token expiration issue for EE web apps.