Skip to content

Add GCP service account impersonation for credentials. #3246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
flyrain merged 3 commits into from
Dec 11, 2025
Merged

Add GCP service account impersonation for credentials. #3246

flyrain merged 3 commits into from
Dec 11, 2025
+140 −2

Conversation

@talatuyarer
Copy link
Contributor

@talatuyarer talatuyarer commented Dec 9, 2025

This will close this bug: #550

cc @flyrain

@github-project-automation github-project-automation bot moved this to PRs In Progress in Basic Kanban Board Dec 9, 2025
adnanhemani
adnanhemani approved these changes Dec 10, 2025
View reviewed changes
Copy link
Contributor

@adnanhemani adnanhemani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, @talatuyarer!! Thank you for this :) One small nit - not a requirement before merging (we can refactor after), but if you are making any changes, would be nice to take care of this in the same go.

...c/test/java/org/apache/polaris/service/storage/gcp/GcpCredentialsStorageIntegrationTest.java Outdated
.generateAccessToken(
Mockito.argThat(
request ->
request.getName().equals("projects/-/serviceAccounts/" + serviceAccount)
Copy link
Contributor

@adnanhemani adnanhemani Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Would recommend moving these variables out to the main class as public variables and then referencing them here from there so that we don't have magic variables and it will be cleaner to maintain if there are any changes in the future!

dimas-b
dimas-b reviewed Dec 10, 2025
View reviewed changes
Copy link
Contributor

@dimas-b dimas-b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution, @talatuyarer !

...core/src/main/java/org/apache/polaris/core/storage/gcp/GcpCredentialsStorageIntegration.java
* is configured, it impersonates that account first.
*/
private GoogleCredentials getBaseCredentials() {
if (config().getGcpServiceAccount() != null) {
Copy link
Contributor

@dimas-b dimas-b Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting that this config value was defined before, but not used 🤔

Does anyone have insight into why it was this way?

Technically, now that GcpServiceAccount config values start affecting Polaris behaviour, this could be a breaking change in existing deployments that may have (possibly accidental and/or incorrect) values in that config property.

I do believe that such a situation is unlikely, so it should be fine to proceed with this PR. However, it probably deserves mentioning as a Change in CHANGELOG.md

Copy link
Contributor

@flyrain flyrain Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this is in the CLI doc for a while, https://polaris.apache.org/in-dev/unreleased/command-line-interface/#catalogs

      --service-account  (Only for GCS) The service account to use when connecting to GCS

Agreed with @dimas-b, not particularly a big concern, but +1 on adding this to the CHANGELOG.md.

flyrain
flyrain reviewed Dec 10, 2025
View reviewed changes
Copy link
Contributor

@flyrain flyrain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for working on it, @talatuyarer! Looks great to me overall. I think it's ready once we add an item in changelog.

@github-project-automation github-project-automation bot moved this from PRs In Progress to Ready to merge in Basic Kanban Board Dec 11, 2025
adnanhemani
adnanhemani approved these changes Dec 11, 2025
View reviewed changes
Copy link
Contributor

@adnanhemani adnanhemani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@flyrain flyrain merged commit fe5b2e5 into apache:main Dec 11, 2025
15 checks passed
@github-project-automation github-project-automation bot moved this from Ready to merge to Done in Basic Kanban Board Dec 11, 2025
@flyrain
Copy link
Contributor

flyrain commented Dec 11, 2025

Thanks a lot for adding this, @talatuyarer! Thanks @dimas-b @adnanhemani for the review!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flyrain flyrain flyrain approved these changes

@dimas-b dimas-b dimas-b approved these changes

+1 more reviewer

@adnanhemani adnanhemani adnanhemani approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@talatuyarer @flyrain @adnanhemani @dimas-b