Closed lgeiger closed 2 years ago
Hi there @lgeiger :wave:!
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
Hi @lgeiger
Please open an issue in the tensorflow repository. gfile will need to add support for Workload Identity Federation. Unfortunately there is nothing we can do in this project.
For reference, I opened https://github.com/tensorflow/tensorflow/issues/57104 which hasn't seen any response yet.
@sethvargo Can you give some more detail on the analysis of how exactly this is a problem that is specific to gfile
?
Hi @vpipkt TensorFlow GFile needs to be updated to support Workload Identity Federation supplied by Application Default Credentials. If it uses official Google Cloud client libraries under the hood, it probably needs to update to the latest version. More details:
In the past, the were only two ways to authenticate to GCP:
About 2 years ago, GCP created Workload Identity Federation, which adds a third authentication mechanism and file format. GFile does not appear to support that format.
TL;DR
I am trying to switch from authenticating with long lived Service Account Key JSON to Workload Identity Federation in a TensorFlow application.
To test that authentication works correctly I am simply testing the existence of a blob in my buckets:
This works correctly for both authenticating with a Service Account Key and with Workload Identity Federation.
However using TensorFlow gfile only works with the old Service Account Key method and fails with Workload Identity Federation:
Expected behavior
I'd expect both authentication methods to work equally well given that TensorFlow just uses the credentials from
$GOOGLE_APPLICATION_CREDENTIALS
.Observed behavior
TensorFlow GFile only seems to work with service account keys and not with Workload Identity Federation.
Action YAML
Log output
Additional information
No response