iterative / PyDrive2

Google Drive API Python wrapper library. Maintained fork of PyDrive.
https://docs.iterative.ai/PyDrive2
Other
580 stars 69 forks source link

authentication-with-a default service-account isn't working #240

Open lappazos opened 1 year ago

lappazos commented 1 year ago

regarding comment in PR #221, i tried https://docs.iterative.ai/PyDrive2/oauth/#authentication-with-a-service-account

i couldn't find where this function is implemented. i tried to implement it by myself (copy pate), but the GCP environment couldn't find the "client_json_file_path": "service-secrets.json",

lappazos commented 1 year ago

@shcheklein

shcheklein commented 1 year ago

@lappazos please, no need to ping me directly and/or use my email. At least not immediately. We are getting notifications about the new issues.

i couldn't find where this function is implemented.

what function? try to follow these steps to generate the secrets file - https://dvc.org/doc/user-guide/how-to/setup-google-drive-remote#using-service-accounts

lappazos commented 1 year ago

@shcheklein I don't think you understand. When you log in to a VM of GCP, you always use a service account. the service account credentials are available somehow in the machine (I'm not sure how, and that is the whole point of this request - automatic authentication using the VM service account credentials). many libraries can authenticate automatically when they are inside a GCP VM, saving the need in a JSON file. we don't want to create a JSON file, that is a potential security breach. BTW, at the moment I have no problem authenticating with JSON file - the whole point is avoiding that, using the VM Metadata credentials of the Service Account.

Back to your question, in the PR you suggested using https://docs.iterative.ai/PyDrive2/oauth/#authentication-with-a-service-account. This leads to a function called login_with_service_account, which I can't find in the library implementation. As I mentioned above, I tried to implement it by myself (copy-paste), but the GCP environment couldn't find the "client_json_file_path": "service-secrets.json",

shcheklein commented 1 year ago

Okay, I see. This duplicates this https://github.com/iterative/PyDrive2/issues/187 and https://github.com/iterative/PyDrive2/issues/179 ?

@lappazos @junp Do you know what is the mechanism behind the default service account? Is there a file in some location, ENV variable, etc? Is it the same as GoogleCredentials.get_application_default()?

Back to your question, in the PR you suggested using https://docs.iterative.ai/PyDrive2/oauth/#authentication-with-a-service-account. This leads to a function called login_with_service_account, which I can't find in the library implementation.

Could you give a link and / or more context?

lappazos commented 1 year ago

Okay, I see. This duplicates this #187 and #179 ?

Yes, exactly

@lappazos @junp Do you know what is the mechanism behind the default service account? Is there a file in some location, ENV variable, etc? Is it the same as GoogleCredentials.get_application_default()?

Unfortunately, I don't know what is the mechanism

Back to your question, in the PR you suggested using https://docs.iterative.ai/PyDrive2/oauth/#authentication-with-a-service-account. This leads to a function called login_with_service_account, which I can't find in the library implementation.

Could you give a link and / or more context?

I'm not sure what you mean - you gave me the link to that function. it is nowhere to be found in the library, only in the documentation and didn't work when I implemented it by copying it to my python file since the file path wasn't correct.

shcheklein commented 1 year ago

I'm not sure what you mean - you gave me the link to that function. it is nowhere to be found in the library, only in the documentation and didn't work when I implemented it by copying it to my python file since the file path wasn't correct.

okay, got it. Yes, for that workflow to work you need a file, or an ENV var, or something with the service account credentials. I would try to google and see how the default credentials are implemented - is a service account or not, are those saved in some file or not. Depending on that we either could modify the code a bit (I can help), or we'll need to wait for the PR to lend, or may be we'll have some way to fix the current implementation a bit to incorporate that flow.

lappazos commented 1 year ago

@shcheklein Thanks, ill wait for your update