Skip to content

Commit

Permalink
fix(sdk): Add required auth scopes to RegistryClient for GCP service …
Browse files Browse the repository at this point in the history
…accounts credentials (#10819)

The scopes are defined in registry context file. Additional scopes must
be comma separated.

Fixes #8878. Previous PR #8895 was approved, but tests failed and
became stale.

I fixed the tests, and confirmed it worked for my case. Using a GCP
Service Account with RegistryClient no longer needs me to explicitly
provide the required scopes.

Signed-off-by: Pedro Chambino <[email protected]>
  • Loading branch information
PChambino authored May 30, 2024
1 parent 6d3b8c3 commit 04b4cad
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 12 deletions.
5 changes: 3 additions & 2 deletions sdk/python/kfp/registry/context/kfp_pkg_dev.json
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,6 @@
"delete_version_url":"https://artifactregistry.googleapis.com/v1/projects/{project_id}/locations/{location}/repositories/{repo_id}/packages/{package_name}/versions/{version}",
"package_format":"projects/{project_id}/locations/{location}/repositories/{repo_id}/packages/{package_name}",
"tag_format":"projects/{project_id}/locations/{location}/repositories/{repo_id}/packages/{package_name}/tags/{tag}",
"version_format":"projects/{project_id}/locations/{location}/repositories/{repo_id}/packages/{package_name}/versions/{version}"
}
"version_format":"projects/{project_id}/locations/{location}/repositories/{repo_id}/packages/{package_name}/versions/{version}",
"auth_scopes": "https://www.googleapis.com/auth/cloud-platform"
}
4 changes: 3 additions & 1 deletion sdk/python/kfp/registry/registry_client.py
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,9 @@ def _load_auth(
return auth
elif self._is_ar_host():
auth, _ = google.auth.default()
return auth
auth_scopes = self._config.get('auth_scopes')
auth_scopes = auth_scopes.split(',') if auth_scopes else None
return credentials.with_scopes_if_required(auth, auth_scopes)
elif auth_file:
if os.path.exists(auth_file):
# Fetch auth token using the locally stored credentials.
Expand Down
15 changes: 6 additions & 9 deletions sdk/python/kfp/registry/registry_client_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -55,14 +55,10 @@ def test_load_config(self):
host = _DEFAULT_HOST
client = RegistryClient(host=host, auth=ApiAuth(''))
expected_config = {
'host':
host,
'upload_url':
host,
'download_version_url':
f'{host}/{{package_name}}/{{version}}',
'download_tag_url':
f'{host}/{{package_name}}/{{tag}}',
'host': host,
'upload_url': host,
'download_version_url': f'{host}/{{package_name}}/{{version}}',
'download_tag_url': f'{host}/{{package_name}}/{{tag}}',
'get_package_url':
('https://artifactregistry.googleapis.com/v1/projects/'
'proj/locations/us-central1/repositories'
Expand Down Expand Up @@ -114,7 +110,8 @@ def test_load_config(self):
'/repo/packages/{package_name}/tags/{tag}'),
'version_format':
('projects/proj/locations/us-central1/repositories'
'/repo/packages/{package_name}/versions/{version}')
'/repo/packages/{package_name}/versions/{version}'),
'auth_scopes': 'https://www.googleapis.com/auth/cloud-platform'
}
self.assertEqual(self._mock_open.call_args_list[0][0],
(_KFP_CONFIG_FILE, 'r'))
Expand Down

0 comments on commit 04b4cad

Please sign in to comment.