-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
set correct project when using from_service_account_json #1883
Comments
Thanks for reporting @kelvinabrokwa! I was able to reproduce the issue with $ export GCLOUD_PROJECT=testing-project >>> from gcloud import bigquery
>>> import os
>>> os.getenv('GCLOUD_PROJECT')
'testing-project'
>>> bc = bigquery.Client.from_service_account_json('creds.json')
>>> bc.project
u'testing-project' I'll try and figure out what's up. |
@daspecster thanks for the quick response! |
The credentials check and project check are completely decoupled. The |
@dhermes, what do you think about just adding/calling a helper function to extract the project id from the file at this point? https://github.com/GoogleCloudPlatform/gcloud-python/blob/master/gcloud/client.py#L60 |
This is actually tricky because a service account can have access to multiple different projects (ie, you can go into another project and add that service account to the project so it has access over there). If we were to automagically pick up the project ID from the key file (JSON), how would people specify "I'm using a service account from project A to talk to resources in project B" ? |
Yea I'd say these are related. |
@jgeewax good point. I actually just ran into that today. The way I'm looking at it now, the With that in mind, I can definitely imagine a scenario in which someone sets their env var purposefully to the project they want and then run into a bug where the library is using the one from the key file. Its more a question of developer experience at this point. |
I could be wrong, but this might be one of those special situations where we should try to separate a client from credentials, as well as loading a client from a service account from loading credentials from a service account. For example, when I load a Client from a service account, I'm expecting that all data in the service account is used to create a client. I think you're right in saying this should pull a project ID if that's there. On the other hand, if I were to create a client and set the credentials to ones from a service account, I'm expecting that it only reads in the credential, and pulls the project based on the default patterns. from gcloud import bigquery
# Get all defaults: credentials, project ID, scope, etc.
client = bigquery.Client()
# Get everything we possibly can from the service account JSON file
client = bigquery.Client.from_service_account_json('key.json')
# Get credentials from the service account JSON file, and defaults for everything else
client = bigquery.Client(credentials=Credentials.from_service_account_json('key.json'))
# Use key.json for credentials, and 'my-project' as the project ID
client = bigquery.Client(project='my-project',
credentials=Credentials.from_service_account_json('key.json')) @tseaver , @daspecster : Is this something that would make sense across the project? |
That makes sense to me at first glance. In the last example, that would override envar For the second example, # Get everything we possibly can from the service account JSON file
client = bigquery.Client.from_service_account_json('key.json') If the project ID isn't in the key.json then it would run through the default search order? In an application where multiple projects are used, I would assume that I would have to specify each one as I wanted to access it. |
If the project ID isn't in the JSON file, then they manually deleted it... I don't think that's a common thing... |
I ran into this issue when attempting to switch from the more manual Using from oauth2client.service_account import ServiceAccountCredentials
from googleapiclient import discovery
scopes = ['https://www.googleapis.com/auth/devstorage.full_control']
credentials = ServiceAccountCredentials.from_json_keyfile_name('service_acct_key.json', scopes)
# No need to specify project ID:
svc = discovery.build('storage', 'v1', credentials=credentials)
# svc.objects().insert() et al does not require project ID Using from google.cloud import storage
# this fails unless default project ID can be derived from env
client = storage.Client.from_service_account_json('service_acct_key.json') As pointed out in this thread, if we manually specify the |
@jonparrott @lukesneeringer I have thought about this but written no code. The issue is that some clients don't ever use a project while some don't ever use
WDYT? |
Optional project on every client seems fine with me. Also, google-auth doesn't choke on ADC if it can't determine the project. |
Fine with me as long as it can be done without a breaking change. I am not keen to have a 0.23 to 0.24 path that is as painful as this one. |
In some sense it can't be done without breaking some behaviors. It would add |
@lukesneeringer This is still a bug |
When instantiating with
bigquery.Client.from_service_account_json('...')
theproject
field in the client should be set to theproject_id
defined in the service account JSON.Right now it is still the one from env.
The text was updated successfully, but these errors were encountered: