Add Impersonate Service Account argument#2015
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
+1, this would enable to use impersonation in CI rather than giving the rights directly to the CI service account. |
|
/gcbrun |
| clientConfig.authClient = new Impersonated({ | ||
| sourceClient: authClient, | ||
| targetPrincipal: this.bigQueryCredentials.impersonateServiceAccount, | ||
| targetScopes: ['https://www.googleapis.com/auth/cloud-platform'] |
There was a problem hiding this comment.
Not sure what you would like done here?
There was a problem hiding this comment.
I mean using EXTRA_GOOGLE_SCOPES here instead of hard-coding
|
@wintermi, in the current version tests are failing due to linter checks: output You can check errors using this lint script. |
|
Resynced the PR with the latest commit |
Fixed the linter issues |
|
@kolina ready for retesting, thanks |
|
/gcbrun |
| clientConfig.authClient = new Impersonated({ | ||
| sourceClient: authClient, | ||
| targetPrincipal: this.bigQueryCredentials.impersonateServiceAccount, | ||
| targetScopes: ['https://www.googleapis.com/auth/cloud-platform'] |
There was a problem hiding this comment.
I mean using EXTRA_GOOGLE_SCOPES here instead of hard-coding
|
I removed the |
|
I added a IMPERSONATION_GOOGLE_SCOPES as the EXTRA_GOOGLE_SCOPES only mention drive. |
| getCredentialsPath(argv[projectDirOption.name], argv[credentialsOption.name]) | ||
| ); | ||
| if (argv[impersonateServiceAccountOption.name]) { | ||
| (readCredentials as any).impersonateServiceAccount = |
There was a problem hiding this comment.
Can we extend dataform.IBigQuery with your new option to avoid dynamic casts breaking static typing?
| return `${value} ${units[i]}`; | ||
| } | ||
|
|
||
| const DURATION_UNITS_IN_MILLIS: { [unit: string]: number } = { |
There was a problem hiding this comment.
Can you please elaborate about the effort to avoid it and upgrade parse-duration dependency?
…st' commands and the required changes to allow for the impersonation of service accounts without the need to change ADC
…st' commands and the required changes to allow for the impersonation of service accounts without the need to change ADC
Replace regex-based parseCliDuration with manual character parsing. Add build.sh to package CLI/core artifacts for hephaestus-worker-base. Fix malformed mkdirp integrity entry in yarn.lock.
|
/gcbrun |
kolina
left a comment
There was a problem hiding this comment.
One of the tests started to time out for some reason
Step #1: //cli/api:dbadapters/bigquery_test FAILED in 61.1s
Step #1: //testing:index_test PASSED in 0.9s
Step #1: //sqlx:lexer_test PASSED in 0.5s
Step #1: //sqlx:format_test PASSED in 0.8s
Step #1: //examples:examples_test PASSED in 3.2s
Step #1: //core:utils_test PASSED in 0.6s
Step #1: //core:main_test PASSED in 36.5s
Step #1: //core:jit_context_test PASSED in 0.7s
Step #1: //core:jit_compiler_test PASSED in 0.7s
Step #1: //core:compilers_test PASSED in 0.6s
Step #1: //core:actions/view_test PASSED in 8.9s
Step #1: //core:actions/test_test PASSED in 4.6s
Step #1: //core:actions/table_test PASSED in 24.8s
Step #1: //core:actions/operation_test PASSED in 7.9s
Step #1: //core:actions/notebook_test PASSED in 5.0s
Step #1: //core:actions/index_test PASSED in 5.4s
Step #1: //core:actions/incremental_table_test PASSED in 29.1s
Step #1: //core:actions/filename_override_test PASSED in 7.5s
Step #1: //core:actions/declaration_test PASSED in 9.6s
Step #1: //core:actions/data_preparation_test PASSED in 6.5s
Step #1: //core:actions/assertion_test PASSED in 32.5s
Step #1: //common/strings:stringifier.spec PASSED in 1.1s
Step #1: //common/protos:index_test PASSED in 0.7s
Step #1: //common/protos:build_test PASSED in 0.2s
Step #1: //common/promises:index.spec PASSED in 2.9s
Step #1: //common/flags:build_test PASSED in 0.3s
Step #1: //common/errors:errors.spec PASSED in 0.9s
Step #1: //cli/api:utils_test PASSED in 0.8s
Step #1: //cli/api:execution_sql_test PASSED in 0.7s
Step #1: //cli/api:commands/jit/rpc_test PASSED in 0.7s
Step #1: //cli:util_test PASSED in 0.8s
Step #1: //cli:index_run_e2e_test PASSED in 62.8s
Step #1: //cli:index_project_test PASSED in 6.2s
Step #1: //cli:index_init_test PASSED in 4.3s
Step #1: //cli:index_help_test PASSED in 5.2s
Step #1: //cli:index_compile_test PASSED in 11.5s
Step #1: INFO:
Step #1: INFO: Build completed, 1 test FAILED, 524 total actions
Step #1: INFO: 524 processes: 368 internal, 103 linux-sandbox, 1 local, 52 worker.
Step #1: INFO: Elapsed time: 123.997s, Critical Path: 99.81s
Step #1: INFO: Found 36 test targets...
Step #1: [523 / 524] 35 / 36 tests, 1 failed; Testing //cli:index_run_e2e_test; 63s linux-sandbox
Step #1: [523 / 524] 35 / 36 tests, 1 failed; Testing //cli:index_run_e2e_test; 61s linux-sandbox
Step #1: [523 / 524] 35 / 36 tests, 1 failed; Testing //cli:index_run_e2e_test; 51s linux-sandbox
Step #1: ================================================================================
Step #1: Tests failed.
Step #1:
Step #1: BigQueryDbAdapter > setMetadata correctly maps column descriptions PASSED
Step #1: BigQueryDbAdapter > setMetadata handles action without columns PASSED
Step #1:
Step #1: at processTimers (node:internal/timers:541:7)
Step #1: at listOnTimeout (node:internal/timers:605:17)
Step #1: at Timeout.<anonymous> (testing/test.ts:85:22)
Step #1: Error: Timed out (30000ms).
Step #1:
Step #1: TIMEOUT
Step #1: BigQueryDbAdapter > tables() without schema lists all datasets and tables
Step #1:
Step #1: at processTimers (node:internal/timers:541:7)
Step #1: at listOnTimeout (node:internal/timers:605:17)
Step #1: at Timeout.<anonymous> (testing/test.ts:85:22)
Step #1: Error: Timed out (30000ms).
Step #1:
Step #1: BigQueryDbAdapter > tables() with schema filters correctly TIMEOUT
| projectId = projectId || credentials.projectId; | ||
| if (!clients.has(projectId)) { | ||
| clients.set( | ||
| const clientConfig: any = { |
There was a problem hiding this comment.
BigQueryOptions instead of any?
| const clientConfig: any = { | ||
| projectId, | ||
| new BigQuery({ | ||
| scopes: EXTRA_GOOGLE_SCOPES, |
There was a problem hiding this comment.
Are projectId and scopes here used by the auth library if you ovewrite authClient? If they're not used in this case, I'd only set them in else branch below
| @@ -0,0 +1,12 @@ | |||
| #!/bin/bash | |||
This PR adds an
--impersonate-service-accountargument to therunandtestcommands, along with the required changes to allow for the impersonation of service accounts without the need to change ADC or callgcloudThis would resolve issue #2000 and would be an alternative to solution than PR #2001
Impersonation could then be achieved by executing: