airflow.providers.google.cloud.utils.credentials_provider
¶
This module contains a mechanism for providing temporary Google Cloud authentication.
Module Contents¶
-
airflow.providers.google.cloud.utils.credentials_provider.
AIRFLOW_CONN_GOOGLE_CLOUD_DEFAULT
= AIRFLOW_CONN_GOOGLE_CLOUD_DEFAULT[source]¶
-
airflow.providers.google.cloud.utils.credentials_provider.
_DEFAULT_SCOPES
:Sequence[str] = ['https://www.googleapis.com/auth/cloud-platform'][source]¶
-
airflow.providers.google.cloud.utils.credentials_provider.
build_gcp_conn
(key_file_path: Optional[str] = None, scopes: Optional[Sequence[str]] = None, project_id: Optional[str] = None) → str[source]¶ -
Builds a uri that can be used as :envvar:`AIRFLOW_CONN_{CONN_ID}` with provided service key,
-
scopes and project id.
-
airflow.providers.google.cloud.utils.credentials_provider.
provide_gcp_credentials
(key_file_path: Optional[str] = None, key_file_dict: Optional[Dict] = None)[source]¶ -
Context manager that provides a Google Cloud credentials for application supporting `Application
-
Default Credentials (ADC) strategy <https://cloud.google.com/docs/authentication/production>`__.
It can be used to provide credentials for external programs (e.g. gcloud) that expect authorization file in
GOOGLE_APPLICATION_CREDENTIALS
environment variable.- Parameters
key_file_path (str) – Path to file with Google Cloud Service Account .json file.
key_file_dict (Dict) – Dictionary with credentials.
-
airflow.providers.google.cloud.utils.credentials_provider.
provide_gcp_connection
(key_file_path: Optional[str] = None, scopes: Optional[Sequence] = None, project_id: Optional[str] = None) → Generator[source]¶ -
Context manager that provides a temporary value of :envvar:`AIRFLOW_CONN_GOOGLE_CLOUD_DEFAULT`
-
connection. It build a new connection that includes path to provided service json,
-
required scopes and project id.
-
airflow.providers.google.cloud.utils.credentials_provider.
provide_gcp_conn_and_credentials
(key_file_path: Optional[str] = None, scopes: Optional[Sequence] = None, project_id: Optional[str] = None) → Generator[source]¶ -
Context manager that provides both:
Google Cloud credentials for application supporting Application Default Credentials (ADC) strategy.
temporary value of
AIRFLOW_CONN_GOOGLE_CLOUD_DEFAULT
connection
-
class
airflow.providers.google.cloud.utils.credentials_provider.
_CredentialProvider
(key_path: Optional[str] = None, keyfile_dict: Optional[Dict[str, str]] = None, scopes: Optional[Collection[str]] = None, delegate_to: Optional[str] = None, disable_logging: bool = False, target_principal: Optional[str] = None, delegates: Optional[Sequence[str]] = None)[source]¶ Bases:
airflow.utils.log.logging_mixin.LoggingMixin
Prepare the Credentials object for Google API and the associated project_id
Only either key_path or keyfile_dict should be provided, or an exception will occur. If neither of them are provided, return default credentials for the current environment
- Parameters
key_path (str) – Path to Google Cloud Service Account key file (JSON).
keyfile_dict (Dict[str, str]) – A dict representing Cloud Service Account as in the Credential JSON file
scopes (Collection[str]) – OAuth scopes for the connection
delegate_to (str) – The account to impersonate using domain-wide delegation of authority, if any. For this to work, the service account making the request must have domain-wide delegation enabled.
disable_logging – If true, disable all log messages, which allows you to use this class to configure Logger.
target_principal (str) – The service account to directly impersonate using short-term credentials, if any. For this to work, the target_principal account must grant the originating account the Service Account Token Creator IAM role.
delegates (Sequence[str]) – optional chained list of accounts required to get the access_token of target_principal. If set, the sequence of identities from the list must grant Service Account Token Creator IAM role to the directly preceding identity, with first account from the list granting this role to the originating account and target_principal granting the role to the last account from the list.
-
airflow.providers.google.cloud.utils.credentials_provider.
get_credentials_and_project_id
(*args, **kwargs) → Tuple[google.auth.credentials.Credentials, str][source]¶ -
Returns the Credentials object for Google API and the associated project_id.
-
airflow.providers.google.cloud.utils.credentials_provider.
_get_scopes
(scopes: Optional[str] = None) → Sequence[str][source]¶ -
Parse a comma-separated string containing OAuth2 scopes if `scopes` is provided.
-
Otherwise, default scope will be returned.
-
airflow.providers.google.cloud.utils.credentials_provider.
_get_target_principal_and_delegates
(impersonation_chain: Optional[Union[str, Sequence[str]]] = None) → Tuple[Optional[str], Optional[Sequence[str]]][source]¶ -
Analyze contents of impersonation_chain and return target_principal (the service account
-
to directly impersonate using short-term credentials, if any) and optional list of delegates
-
required to get the access_token of target_principal.