Uploaded image for project: 'Apache Airflow'
  1. Apache Airflow
  2. AIRFLOW-2522

Cannot use GOOGLE_APPLICATION_CREDENTIALS to authenticate for GCP connections

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.10.0, 2.0.0
    • Component/s: contrib
    • Labels:
      None

      Description

      If you try to use the GOOGLE_APPLICATION_CREDENTIALS environment variable with a service account key to authenticate to Google Cloud, as described at https://cloud.google.com/docs/authentication/production you get an error "HttpAccessTokenRefreshError: invalid_scope: Empty or missing scope not allowed."

      This error occurs even if you fill in the scope field of the GCP connection.

      The root cause is that scopes are ignored by the GCP hook when using application default credentials. They should not be ignored when the default credentials are using a service account. (And probably shouldn't be ignored at all, preferring an error when scopes are filled in but don't apply to the credential type)

      I'll try to fix this while I'm working on https://issues.apache.org/jira/projects/AIRFLOW/issues/AIRFLOW-2512.

        Attachments

          Activity

            People

            • Assignee:
              tswast Tim Swast
              Reporter:
              tswast Tim Swast
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: