Skip to content

Add Impersonate Service Account argument#2015

Open
wintermi wants to merge 10 commits into
dataform-co:mainfrom
Conundrm:main
Open

Add Impersonate Service Account argument#2015
wintermi wants to merge 10 commits into
dataform-co:mainfrom
Conundrm:main

Conversation

@wintermi

Copy link
Copy Markdown

This PR adds an --impersonate-service-account argument to the run and test commands, along with the required changes to allow for the impersonation of service accounts without the need to change ADC or call gcloud

This would resolve issue #2000 and would be an alternative to solution than PR #2001

Impersonation could then be achieved by executing:

dataform run --impersonate-service-account=<sSERVICE_ACCT_EMAIL>

@wintermi wintermi requested a review from a team as a code owner September 11, 2025 06:43
@wintermi wintermi requested review from Ceridan and removed request for a team September 11, 2025 06:43
@google-cla

google-cla Bot commented Sep 11, 2025

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@camilleAmaury

Copy link
Copy Markdown

+1, this would enable to use impersonation in CI rather than giving the rights directly to the CI service account.
There is no way to workaround that currently.

@kolina

kolina commented Nov 11, 2025

Copy link
Copy Markdown
Contributor

/gcbrun

@Ceridan Ceridan requested review from kolina and removed request for Ceridan November 13, 2025 09:15
@kolina

kolina commented Nov 13, 2025

Copy link
Copy Markdown
Contributor

Sorry for the late review. A couple of things:

  • Integration tests are failing, can you take a look at fixing them? Now we have a guide of running them locally
  • Let's resolve conflicts

Comment thread cli/api/dbadapters/bigquery.ts Outdated
Comment thread cli/api/dbadapters/bigquery.ts Outdated
Comment thread cli/api/dbadapters/bigquery.ts Outdated
clientConfig.authClient = new Impersonated({
sourceClient: authClient,
targetPrincipal: this.bigQueryCredentials.impersonateServiceAccount,
targetScopes: ['https://www.googleapis.com/auth/cloud-platform']

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EXTRA_GOOGLE_SCOPES?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what you would like done here?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean using EXTRA_GOOGLE_SCOPES here instead of hard-coding

@kolina

kolina commented Jan 2, 2026

Copy link
Copy Markdown
Contributor

@wintermi, in the current version tests are failing due to linter checks: output

You can check errors using this lint script.

@wintermi

wintermi commented Jan 5, 2026

Copy link
Copy Markdown
Author

Resynced the PR with the latest commit

@wintermi

wintermi commented Jan 5, 2026

Copy link
Copy Markdown
Author

@wintermi, in the current version tests are failing due to linter checks: output

You can check errors using this lint script.

Fixed the linter issues

@wintermi

wintermi commented Jan 5, 2026

Copy link
Copy Markdown
Author

@kolina ready for retesting, thanks

@wintermi wintermi requested a review from kolina January 7, 2026 05:35
@kolina

kolina commented Jan 7, 2026

Copy link
Copy Markdown
Contributor

/gcbrun

Comment thread cli/api/dbadapters/bigquery.ts Outdated
clientConfig.authClient = new Impersonated({
sourceClient: authClient,
targetPrincipal: this.bigQueryCredentials.impersonateServiceAccount,
targetScopes: ['https://www.googleapis.com/auth/cloud-platform']

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean using EXTRA_GOOGLE_SCOPES here instead of hard-coding

Comment thread cli/api/dbadapters/bigquery.ts
@wintermi

Copy link
Copy Markdown
Author

I removed the parse-duration dependency to avoid CVE-2025-25283
Moving to the parse-duration@2.1.3 seemed a far bigger change than necessary.

@wintermi

Copy link
Copy Markdown
Author

I added a IMPERSONATION_GOOGLE_SCOPES as the EXTRA_GOOGLE_SCOPES only mention drive.

@wintermi wintermi requested a review from kolina April 10, 2026 01:09
Comment thread cli/api/dbadapters/bigquery.ts Outdated
Comment thread cli/api/dbadapters/bigquery.ts Outdated
Comment thread cli/api/dbadapters/bigquery.ts Outdated
Comment thread cli/index.ts
getCredentialsPath(argv[projectDirOption.name], argv[credentialsOption.name])
);
if (argv[impersonateServiceAccountOption.name]) {
(readCredentials as any).impersonateServiceAccount =

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we extend dataform.IBigQuery with your new option to avoid dynamic casts breaking static typing?

Comment thread cli/util.ts
return `${value} ${units[i]}`;
}

const DURATION_UNITS_IN_MILLIS: { [unit: string]: number } = {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please elaborate about the effort to avoid it and upgrade parse-duration dependency?

Comment thread cli/api/dbadapters/bigquery.ts Outdated
Comment thread cli/util.ts Outdated
wintermi added 7 commits June 17, 2026 15:23
…st' commands and the required changes to allow for the impersonation of service accounts without the need to change ADC
…st' commands and the required changes to allow for the impersonation of service accounts without the need to change ADC
Replace regex-based parseCliDuration with manual character parsing.
Add build.sh to package CLI/core artifacts for hephaestus-worker-base.
Fix malformed mkdirp integrity entry in yarn.lock.
@kolina

kolina commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

/gcbrun

@kolina kolina left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One of the tests started to time out for some reason

Step #1: //cli/api:dbadapters/bigquery_test                                       FAILED in 61.1s
Step #1: //testing:index_test                                                     PASSED in 0.9s
Step #1: //sqlx:lexer_test                                                        PASSED in 0.5s
Step #1: //sqlx:format_test                                                       PASSED in 0.8s
Step #1: //examples:examples_test                                                 PASSED in 3.2s
Step #1: //core:utils_test                                                        PASSED in 0.6s
Step #1: //core:main_test                                                         PASSED in 36.5s
Step #1: //core:jit_context_test                                                  PASSED in 0.7s
Step #1: //core:jit_compiler_test                                                 PASSED in 0.7s
Step #1: //core:compilers_test                                                    PASSED in 0.6s
Step #1: //core:actions/view_test                                                 PASSED in 8.9s
Step #1: //core:actions/test_test                                                 PASSED in 4.6s
Step #1: //core:actions/table_test                                                PASSED in 24.8s
Step #1: //core:actions/operation_test                                            PASSED in 7.9s
Step #1: //core:actions/notebook_test                                             PASSED in 5.0s
Step #1: //core:actions/index_test                                                PASSED in 5.4s
Step #1: //core:actions/incremental_table_test                                    PASSED in 29.1s
Step #1: //core:actions/filename_override_test                                    PASSED in 7.5s
Step #1: //core:actions/declaration_test                                          PASSED in 9.6s
Step #1: //core:actions/data_preparation_test                                     PASSED in 6.5s
Step #1: //core:actions/assertion_test                                            PASSED in 32.5s
Step #1: //common/strings:stringifier.spec                                        PASSED in 1.1s
Step #1: //common/protos:index_test                                               PASSED in 0.7s
Step #1: //common/protos:build_test                                               PASSED in 0.2s
Step #1: //common/promises:index.spec                                             PASSED in 2.9s
Step #1: //common/flags:build_test                                                PASSED in 0.3s
Step #1: //common/errors:errors.spec                                              PASSED in 0.9s
Step #1: //cli/api:utils_test                                                     PASSED in 0.8s
Step #1: //cli/api:execution_sql_test                                             PASSED in 0.7s
Step #1: //cli/api:commands/jit/rpc_test                                          PASSED in 0.7s
Step #1: //cli:util_test                                                          PASSED in 0.8s
Step #1: //cli:index_run_e2e_test                                                 PASSED in 62.8s
Step #1: //cli:index_project_test                                                 PASSED in 6.2s
Step #1: //cli:index_init_test                                                    PASSED in 4.3s
Step #1: //cli:index_help_test                                                    PASSED in 5.2s
Step #1: //cli:index_compile_test                                                 PASSED in 11.5s
Step #1: INFO: 
Step #1: INFO: Build completed, 1 test FAILED, 524 total actions
Step #1: INFO: 524 processes: 368 internal, 103 linux-sandbox, 1 local, 52 worker.
Step #1: INFO: Elapsed time: 123.997s, Critical Path: 99.81s
Step #1: INFO: Found 36 test targets...
Step #1: [523 / 524] 35 / 36 tests, 1 failed; Testing //cli:index_run_e2e_test; 63s linux-sandbox
Step #1: [523 / 524] 35 / 36 tests, 1 failed; Testing //cli:index_run_e2e_test; 61s linux-sandbox
Step #1: [523 / 524] 35 / 36 tests, 1 failed; Testing //cli:index_run_e2e_test; 51s linux-sandbox
Step #1: ================================================================================
Step #1: Tests failed.
Step #1: 
Step #1: BigQueryDbAdapter > setMetadata correctly maps column descriptions       PASSED
Step #1: BigQueryDbAdapter > setMetadata handles action without columns           PASSED
Step #1: 
Step #1:         at processTimers (node:internal/timers:541:7)
Step #1:         at listOnTimeout (node:internal/timers:605:17)
Step #1:         at Timeout.<anonymous> (testing/test.ts:85:22)
Step #1:     Error: Timed out (30000ms).
Step #1: 
Step #1:                                                                         TIMEOUT
Step #1: BigQueryDbAdapter > tables() without schema lists all datasets and tables
Step #1: 
Step #1:         at processTimers (node:internal/timers:541:7)
Step #1:         at listOnTimeout (node:internal/timers:605:17)
Step #1:         at Timeout.<anonymous> (testing/test.ts:85:22)
Step #1:     Error: Timed out (30000ms).
Step #1: 
Step #1: BigQueryDbAdapter > tables() with schema filters correctly              TIMEOUT

projectId = projectId || credentials.projectId;
if (!clients.has(projectId)) {
clients.set(
const clientConfig: any = {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BigQueryOptions instead of any?

const clientConfig: any = {
projectId,
new BigQuery({
scopes: EXTRA_GOOGLE_SCOPES,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are projectId and scopes here used by the auth library if you ovewrite authClient? If they're not used in this case, I'd only set them in else branch below

Comment thread build.sh
@@ -0,0 +1,12 @@
#!/bin/bash

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-intended diff?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants