| :mod:`airflow.providers.google.cloud.utils.credentials_provider` |
| ================================================================ |
| |
| .. py:module:: airflow.providers.google.cloud.utils.credentials_provider |
| |
| .. autoapi-nested-parse:: |
| |
| This module contains a mechanism for providing temporary |
| Google Cloud authentication. |
| |
| |
| |
| Module Contents |
| --------------- |
| |
| .. data:: log |
| |
| |
| |
| |
| .. data:: AIRFLOW_CONN_GOOGLE_CLOUD_DEFAULT |
| :annotation: = AIRFLOW_CONN_GOOGLE_CLOUD_DEFAULT |
| |
| |
| |
| .. data:: _DEFAULT_SCOPES |
| :annotation: :Sequence[str] = ['https://www.googleapis.com/auth/cloud-platform'] |
| |
| |
| |
| .. function:: build_gcp_conn(key_file_path: Optional[str] = None, scopes: Optional[Sequence[str]] = None, project_id: Optional[str] = None) -> str |
| Builds a uri that can be used as :envvar:`AIRFLOW_CONN_{CONN_ID}` with provided service key, |
| scopes and project id. |
| |
| :param key_file_path: Path to service key. |
| :type key_file_path: Optional[str] |
| :param scopes: Required OAuth scopes. |
| :type scopes: Optional[List[str]] |
| :param project_id: The Google Cloud project id to be used for the connection. |
| :type project_id: Optional[str] |
| :return: String representing Airflow connection. |
| |
| |
| .. function:: provide_gcp_credentials(key_file_path: Optional[str] = None, key_file_dict: Optional[Dict] = None) |
| Context manager that provides a Google Cloud credentials for application supporting `Application |
| Default Credentials (ADC) strategy <https://cloud.google.com/docs/authentication/production>`__. |
| |
| It can be used to provide credentials for external programs (e.g. gcloud) that expect authorization |
| file in ``GOOGLE_APPLICATION_CREDENTIALS`` environment variable. |
| |
| :param key_file_path: Path to file with Google Cloud Service Account .json file. |
| :type key_file_path: str |
| :param key_file_dict: Dictionary with credentials. |
| :type key_file_dict: Dict |
| |
| |
| .. function:: provide_gcp_connection(key_file_path: Optional[str] = None, scopes: Optional[Sequence] = None, project_id: Optional[str] = None) -> Generator |
| Context manager that provides a temporary value of :envvar:`AIRFLOW_CONN_GOOGLE_CLOUD_DEFAULT` |
| connection. It build a new connection that includes path to provided service json, |
| required scopes and project id. |
| |
| :param key_file_path: Path to file with Google Cloud Service Account .json file. |
| :type key_file_path: str |
| :param scopes: OAuth scopes for the connection |
| :type scopes: Sequence |
| :param project_id: The id of Google Cloud project for the connection. |
| :type project_id: str |
| |
| |
| .. function:: provide_gcp_conn_and_credentials(key_file_path: Optional[str] = None, scopes: Optional[Sequence] = None, project_id: Optional[str] = None) -> Generator |
| Context manager that provides both: |
| |
| - Google Cloud credentials for application supporting `Application Default Credentials (ADC) |
| strategy <https://cloud.google.com/docs/authentication/production>`__. |
| - temporary value of :envvar:`AIRFLOW_CONN_GOOGLE_CLOUD_DEFAULT` connection |
| |
| :param key_file_path: Path to file with Google Cloud Service Account .json file. |
| :type key_file_path: str |
| :param scopes: OAuth scopes for the connection |
| :type scopes: Sequence |
| :param project_id: The id of Google Cloud project for the connection. |
| :type project_id: str |
| |
| |
| .. py:class:: _CredentialProvider(key_path: Optional[str] = None, keyfile_dict: Optional[Dict[str, str]] = None, scopes: Optional[Collection[str]] = None, delegate_to: Optional[str] = None, disable_logging: bool = False, target_principal: Optional[str] = None, delegates: Optional[Sequence[str]] = None) |
| |
| Bases: :class:`airflow.utils.log.logging_mixin.LoggingMixin` |
| |
| Prepare the Credentials object for Google API and the associated project_id |
| |
| Only either `key_path` or `keyfile_dict` should be provided, or an exception will |
| occur. If neither of them are provided, return default credentials for the current environment |
| |
| :param key_path: Path to Google Cloud Service Account key file (JSON). |
| :type key_path: str |
| :param keyfile_dict: A dict representing Cloud Service Account as in the Credential JSON file |
| :type keyfile_dict: Dict[str, str] |
| :param scopes: OAuth scopes for the connection |
| :type scopes: Collection[str] |
| :param delegate_to: The account to impersonate using domain-wide delegation of authority, |
| if any. For this to work, the service account making the request must have |
| domain-wide delegation enabled. |
| :type delegate_to: str |
| :param disable_logging: If true, disable all log messages, which allows you to use this |
| class to configure Logger. |
| :param target_principal: The service account to directly impersonate using short-term |
| credentials, if any. For this to work, the target_principal account must grant |
| the originating account the Service Account Token Creator IAM role. |
| :type target_principal: str |
| :param delegates: optional chained list of accounts required to get the access_token of |
| target_principal. If set, the sequence of identities from the list must grant |
| Service Account Token Creator IAM role to the directly preceding identity, with first |
| account from the list granting this role to the originating account and target_principal |
| granting the role to the last account from the list. |
| :type delegates: Sequence[str] |
| |
| |
| .. method:: get_credentials_and_project(self) |
| |
| Get current credentials and project ID. |
| |
| :return: Google Auth Credentials |
| :type: Tuple[google.auth.credentials.Credentials, str] |
| |
| |
| |
| |
| .. method:: _get_credentials_using_keyfile_dict(self) |
| |
| |
| |
| |
| .. method:: _get_credentials_using_key_path(self) |
| |
| |
| |
| |
| .. method:: _get_credentials_using_adc(self) |
| |
| |
| |
| |
| .. method:: _log_info(self, *args, **kwargs) |
| |
| |
| |
| |
| .. method:: _log_debug(self, *args, **kwargs) |
| |
| |
| |
| |
| .. function:: get_credentials_and_project_id(*args, **kwargs) -> Tuple[google.auth.credentials.Credentials, str] |
| Returns the Credentials object for Google API and the associated project_id. |
| |
| |
| .. function:: _get_scopes(scopes: Optional[str] = None) -> Sequence[str] |
| Parse a comma-separated string containing OAuth2 scopes if `scopes` is provided. |
| Otherwise, default scope will be returned. |
| |
| :param scopes: A comma-separated string containing OAuth2 scopes |
| :type scopes: Optional[str] |
| :return: Returns the scope defined in the connection configuration, or the default scope |
| :rtype: Sequence[str] |
| |
| |
| .. function:: _get_target_principal_and_delegates(impersonation_chain: Optional[Union[str, Sequence[str]]] = None) -> Tuple[Optional[str], Optional[Sequence[str]]] |
| Analyze contents of impersonation_chain and return target_principal (the service account |
| to directly impersonate using short-term credentials, if any) and optional list of delegates |
| required to get the access_token of target_principal. |
| |
| :param impersonation_chain: the service account to impersonate or a chained list leading to this |
| account |
| :type impersonation_chain: Optional[Union[str, Sequence[str]]] |
| |
| :return: Returns the tuple of target_principal and delegates |
| :rtype: Tuple[Optional[str], Optional[Sequence[str]]] |
| |
| |
| .. function:: _get_project_id_from_service_account_email(service_account_email: str) -> str |
| Extracts project_id from service account's email address. |
| |
| :param service_account_email: email of the service account. |
| :type service_account_email: str |
| |
| :return: Returns the project_id of the provided service account. |
| :rtype: str |
| |
| |