Closed junpeng-jp closed 1 year ago
@shcheklein I've raise a new PR above. Please do take a look when you have time
@junpeng-jp hey, sure. Please don't hesitate to Request a review via a link at the top. Otherwise it was not clear if it's still in progress or not. Thanks again for the effort. I'll try to find time to review it this week.
@shcheklein Not sure why but I don't see a button to request a reviewer for this PR. Are you able to help me here?
Screenshot of what I see below
@junpeng-jp ah, no worries. If it doesn't work- that's fine. Just ping me in the comment.
Sorry for the delay, this PR needs more attention and I need to find time to check it out.
@shcheklein @junpeng-jp any update on this PR? I really need the automatic auth using GCP service account credentials.
@lappazos please give it a try https://docs.iterative.ai/PyDrive2/oauth/#authentication-with-a-service-account . You don't need to wait for this PR to be merged.
@shcheklein so i did - i couldn't find where this function is implemented. i tried to implement it by myself (copy pate), but the GCP environment couldn't find the "client_json_file_path": "service-secrets.json",
@lappazos please, let's move this to a separate issue/discussion. This is not related I think to this PR.
@junpeng-jp @shcheklein is this PR stuck?
Closing as stale
Just noting that it would be nice if this PR can be "brought back to life/completed" to enable features like "service account impersonation", etc.
Background: I was working on a small hobby project (and attempting to learn some of the "best practices" for service accounts/authentication, etc.).
IIUC, it seems like using "service account impersonation" is preferred to downloading a "service account key", as the key is long-lived, requires manual rotation, etc. Whereas "impersonation" allows you to just fetch a temporary token for the service account (using your existing user credentials) service account key
While I'm not 100% certain it is required, I think that using the updated google oauth libraries are probably the best way to enable these features.
And I did have success using the https://github.com/junpeng-jp/PyDrive2 fork for this...
I was able to get it running locally (using mostly default settings for PyDrive2, and creating "impersonated application-default credentials" with:
gcloud auth application-default login --impersonate-service-account SERVICE_ACCT_EMAIL
To make the "application default credentials" be the "impersonated service account" ones.
I was ALSO able to get a test version running on a google cloud run container (where a google managed "service account" is used to run the service, and I was able to get that service account to "impersonate" an existing service account (which already has access to certain drive folders) and get things working that way also. It did require a bit of work (monkey patching the GoogleAuth.ServiceAuth() method to set self._credential to be the impersonated one). I think that would be a "fairly small update" to allow impersonated service accounts cleanly (if this PR is revived).
At any rate, just noting that this PR does appear to be pretty useful, and hoping that this can be brought back to life / completed (as it appears to be pretty far along / functional).
Eric
Summary of changes
89
89
173
Removing manual refresh & authorization header injection code as this is now handle by the Google Auth library
self.Refresh()
&self.Authorize()
methodsself.Get_Http_Object()
method to use theAuthorizedHttp
object from google's HTTP migration helper library