PyDrive2 icon indicating copy to clipboard operation
PyDrive2 copied to clipboard
verified publisher icon iterative

no support for `google.auth.default`

Open fatestapestry opened this issue 3 years ago • 6 comments

To support CI workflows building off gh actions, I'd like to use the recommended auth method using google.auth.default with google-github-actions/[email protected] - https://github.com/google-github-actions/auth.

This would (hopefully) allow the following, using the more modern google.auth lib:

    gauth = GoogleAuth()
    try:
        gauth.credentials = ServiceAccountCredentials.from_json_keyfile_name(LOCAL_KEY, SCOPES)  # support local dev
    except FileNotFoundError:
        credentials, _ = google.auth.default(SCOPES)  # prod
        gauth.credentials = credentials

This is defined here: https://google-auth.readthedocs.io/en/master/user-guide.html

Unfortunately forcing auth with a local service account key file is a poor security implementation, and not really acceptable for cloud CI.

fatestapestry avatar May 28 '22 04:05 fatestapestry

@junpeng-jp will test after merge

fatestapestry avatar May 29 '22 23:05 fatestapestry

Fixing this should also support:

from google.oauth2.service_account import Credentials

credentials = Credentials.from_service_account_file(key_file, scopes)

fatestapestry avatar May 29 '22 23:05 fatestapestry

A working alternative until this is implemented is to use this after reading key from env:

oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_dict()

fatestapestry avatar May 30 '22 00:05 fatestapestry

hey @jonathanelscpt, the GoogleAuth in this library supports file-based service auth through:

  1. specifying the service credential file name in the yaml config under service_config > client_json_file_path or specifying the GOOGLE_APPLICATION_CREDENTIALS environment variable and setting service_config > use_default = True
  2. instantiate GoogleAuth
  3. run the ServiceAuth method which would:
    • reads the service credential json path
    • use the from_service_account_file class method (see here) to create the service account credentials

junpeng-jp avatar May 30 '22 13:05 junpeng-jp

At least, this is how it would be after my pull request above has been merged. Because the entire library's google auth is driven by the .yaml config file, I've kept to the same design whilst I was working to migrate from oauth2client -> google-auth

junpeng-jp avatar May 30 '22 13:05 junpeng-jp

For the record, current implementation supports reading from a dict, from ENV, etc. I'm not sure about the default credentials. It depends on the underlying implementation for them.

shcheklein avatar Nov 13 '22 17:11 shcheklein