Skip to content

Add Impersonate Service Account argument #2015

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wintermi wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add Impersonate Service Account argument #2015

wintermi wants to merge 5 commits into from
+70 −21

Conversation

@wintermi
Copy link

@wintermi wintermi commented Sep 11, 2025

This PR adds an --impersonate-service-account argument to the run and test commands, along with the required changes to allow for the impersonation of service accounts without the need to change ADC or call gcloud

This would resolve issue #2000 and would be an alternative to solution than PR #2001

Impersonation could then be achieved by executing:

dataform run --impersonate-service-account=<sSERVICE_ACCT_EMAIL>

@wintermi
Add the '--impersonate-service-account' argument to the 'run' and 'te…
c3094eb 
…st' commands and the required changes to allow for the impersonation of service accounts without the need to change ADC
@wintermi wintermi requested a review from a team as a code owner September 11, 2025 06:43
@wintermi wintermi requested review from Ceridan and removed request for a team September 11, 2025 06:43
@google-cla
Copy link

google-cla bot commented Sep 11, 2025

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@camilleAmaury
Copy link

camilleAmaury commented Oct 30, 2025

+1, this would enable to use impersonation in CI rather than giving the rights directly to the CI service account.
There is no way to workaround that currently.

@kolina
Copy link
Contributor

kolina commented Nov 11, 2025

/gcbrun

@Ceridan Ceridan requested review from kolina and removed request for Ceridan November 13, 2025 09:15
@kolina
Copy link
Contributor

kolina commented Nov 13, 2025

Sorry for the late review. A couple of things:

  • Integration tests are failing, can you take a look at fixing them? Now we have a guide of running them locally
  • Let's resolve conflicts

kolina
kolina requested changes Nov 13, 2025
View reviewed changes
cli/api/dbadapters/bigquery.ts
clientConfig.authClient = new Impersonated({
sourceClient: authClient,
targetPrincipal: this.bigQueryCredentials.impersonateServiceAccount,
targetScopes: ['https://www.googleapis.com/auth/cloud-platform']
Copy link
Contributor

@kolina kolina Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EXTRA_GOOGLE_SCOPES?

Copy link
Author

@wintermi wintermi Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what you would like done here?

Copy link
Contributor

@kolina kolina Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean using EXTRA_GOOGLE_SCOPES here instead of hard-coding

@ashish10alex ashish10alex mentioned this pull request Dec 23, 2025
Open
@kolina
Copy link
Contributor

kolina commented Jan 2, 2026

@wintermi, in the current version tests are failing due to linter checks: output

You can check errors using this lint script.

@wintermi
Merge upstream/main to sync with dataform-co/dataform
f3feefd 
Resolved conflicts:
- cli/index.ts: Kept both impersonate-service-account option (fork feature)
  and job-labels option (upstream feature)
- package.json: Updated glob to ^10.5.0, kept google-auth-library dependency
- yarn.lock: Regenerated with updated dependencies
@wintermi
Copy link
Author

wintermi commented Jan 5, 2026

Resynced the PR with the latest commit

@wintermi
Copy link
Author

wintermi commented Jan 5, 2026

@wintermi, in the current version tests are failing due to linter checks: output

You can check errors using this lint script.

Fixed the linter issues

@wintermi
Copy link
Author

wintermi commented Jan 5, 2026

@kolina ready for retesting, thanks

@wintermi wintermi requested a review from kolina January 7, 2026 05:35
@kolina
Copy link
Contributor

kolina commented Jan 7, 2026

/gcbrun

kolina
kolina reviewed Jan 7, 2026
View reviewed changes
cli/api/dbadapters/bigquery.ts
clientConfig.authClient = new Impersonated({
sourceClient: authClient,
targetPrincipal: this.bigQueryCredentials.impersonateServiceAccount,
targetScopes: ['https://www.googleapis.com/auth/cloud-platform']
Copy link
Contributor

@kolina kolina Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean using EXTRA_GOOGLE_SCOPES here instead of hard-coding

cli/api/dbadapters/bigquery.ts
}

private getClient(projectId?: string) {
private async getClient(projectId?: string) {
Copy link
Contributor

@kolina kolina Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In #2001 @ashish10alex added support for impersonating a service account through ADC. Will it be enough for your use case or you need an explicit option as well?

If the latter, can you please validate manually that it works?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kolina kolina kolina requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wintermi @camilleAmaury @kolina