airflow.providers.google.cloud.utils.credentials_provider

This module contains a mechanism for providing temporary Google Cloud authentication.

Module Contents

airflow.providers.google.cloud.utils.credentials_provider.log[source]
airflow.providers.google.cloud.utils.credentials_provider.AIRFLOW_CONN_GOOGLE_CLOUD_DEFAULT = AIRFLOW_CONN_GOOGLE_CLOUD_DEFAULT[source]
airflow.providers.google.cloud.utils.credentials_provider._DEFAULT_SCOPES :Sequence[str] = ['https://www.googleapis.com/auth/cloud-platform'][source]
airflow.providers.google.cloud.utils.credentials_provider.build_gcp_conn(key_file_path: Optional[str] = None, scopes: Optional[Sequence[str]] = None, project_id: Optional[str] = None)str[source]
Builds a uri that can be used as :envvar:`AIRFLOW_CONN_{CONN_ID}` with provided service key,
scopes and project id.
Parameters
  • key_file_path (Optional[str]) – Path to service key.

  • scopes (Optional[List[str]]) – Required OAuth scopes.

  • project_id (Optional[str]) – The Google Cloud project id to be used for the connection.

Returns

String representing Airflow connection.

airflow.providers.google.cloud.utils.credentials_provider.provide_gcp_credentials(key_file_path: Optional[str] = None, key_file_dict: Optional[Dict] = None)[source]
Context manager that provides a Google Cloud credentials for application supporting `Application
Default Credentials (ADC) strategy <https://cloud.google.com/docs/authentication/production>`__.

It can be used to provide credentials for external programs (e.g. gcloud) that expect authorization file in GOOGLE_APPLICATION_CREDENTIALS environment variable.

Parameters
  • key_file_path (str) – Path to file with Google Cloud Service Account .json file.

  • key_file_dict (Dict) – Dictionary with credentials.

airflow.providers.google.cloud.utils.credentials_provider.provide_gcp_connection(key_file_path: Optional[str] = None, scopes: Optional[Sequence] = None, project_id: Optional[str] = None) → Generator[source]
Context manager that provides a temporary value of :envvar:`AIRFLOW_CONN_GOOGLE_CLOUD_DEFAULT`
connection. It build a new connection that includes path to provided service json,
required scopes and project id.
Parameters
  • key_file_path (str) – Path to file with Google Cloud Service Account .json file.

  • scopes (Sequence) – OAuth scopes for the connection

  • project_id (str) – The id of Google Cloud project for the connection.

airflow.providers.google.cloud.utils.credentials_provider.provide_gcp_conn_and_credentials(key_file_path: Optional[str] = None, scopes: Optional[Sequence] = None, project_id: Optional[str] = None) → Generator[source]
Context manager that provides both:
Parameters
  • key_file_path (str) – Path to file with Google Cloud Service Account .json file.

  • scopes (Sequence) – OAuth scopes for the connection

  • project_id (str) – The id of Google Cloud project for the connection.

class airflow.providers.google.cloud.utils.credentials_provider._CredentialProvider(key_path: Optional[str] = None, keyfile_dict: Optional[Dict[str, str]] = None, scopes: Optional[Collection[str]] = None, delegate_to: Optional[str] = None, disable_logging: bool = False, target_principal: Optional[str] = None, delegates: Optional[Sequence[str]] = None)[source]

Bases: airflow.utils.log.logging_mixin.LoggingMixin

Prepare the Credentials object for Google API and the associated project_id

Only either key_path or keyfile_dict should be provided, or an exception will occur. If neither of them are provided, return default credentials for the current environment

Parameters
  • key_path (str) – Path to Google Cloud Service Account key file (JSON).

  • keyfile_dict (Dict[str, str]) – A dict representing Cloud Service Account as in the Credential JSON file

  • scopes (Collection[str]) – OAuth scopes for the connection

  • delegate_to (str) – The account to impersonate using domain-wide delegation of authority, if any. For this to work, the service account making the request must have domain-wide delegation enabled.

  • disable_logging – If true, disable all log messages, which allows you to use this class to configure Logger.

  • target_principal (str) – The service account to directly impersonate using short-term credentials, if any. For this to work, the target_principal account must grant the originating account the Service Account Token Creator IAM role.

  • delegates (Sequence[str]) – optional chained list of accounts required to get the access_token of target_principal. If set, the sequence of identities from the list must grant Service Account Token Creator IAM role to the directly preceding identity, with first account from the list granting this role to the originating account and target_principal granting the role to the last account from the list.

get_credentials_and_project(self)[source]

Get current credentials and project ID.

Returns

Google Auth Credentials

Type

Tuple[google.auth.credentials.Credentials, str]

_get_credentials_using_keyfile_dict(self)[source]
_get_credentials_using_key_path(self)[source]
_get_credentials_using_adc(self)[source]
_log_info(self, *args, **kwargs)[source]
_log_debug(self, *args, **kwargs)[source]
airflow.providers.google.cloud.utils.credentials_provider.get_credentials_and_project_id(*args, **kwargs) → Tuple[google.auth.credentials.Credentials, str][source]
Returns the Credentials object for Google API and the associated project_id.
airflow.providers.google.cloud.utils.credentials_provider._get_scopes(scopes: Optional[str] = None) → Sequence[str][source]
Parse a comma-separated string containing OAuth2 scopes if `scopes` is provided.
Otherwise, default scope will be returned.
Parameters

scopes (Optional[str]) – A comma-separated string containing OAuth2 scopes

Returns

Returns the scope defined in the connection configuration, or the default scope

Return type

Sequence[str]

airflow.providers.google.cloud.utils.credentials_provider._get_target_principal_and_delegates(impersonation_chain: Optional[Union[str, Sequence[str]]] = None) → Tuple[Optional[str], Optional[Sequence[str]]][source]
Analyze contents of impersonation_chain and return target_principal (the service account
to directly impersonate using short-term credentials, if any) and optional list of delegates
required to get the access_token of target_principal.
Parameters

impersonation_chain (Optional[Union[str, Sequence[str]]]) – the service account to impersonate or a chained list leading to this account

Returns

Returns the tuple of target_principal and delegates

Return type

Tuple[Optional[str], Optional[Sequence[str]]]

airflow.providers.google.cloud.utils.credentials_provider._get_project_id_from_service_account_email(service_account_email: str)str[source]
Extracts project_id from service account's email address.
Parameters

service_account_email (str) – email of the service account.

Returns

Returns the project_id of the provided service account.

Return type

str

Was this entry helpful?