Fix Google connector ADC implementation within GKE environments #2680
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Adapt the google connector for using application default credentials in GKE.
What this PR does / why we need it
Closes #2676
Upon further testing in a GKE cluster, this line seems to return an empty JSON credential and therefore making ADC login fail. The default behavior for the google.FindDefaultCredentials function is the following:
The
credential.JSON
is empty in GKE environments, thus the error. In order to fetch the credentials (token) from the metadata server, the only method I found which worked did not return aPERMISSION_DENIED
is to use the flow defined in the impersonate package:TBH, I'm not sure if this is the canonical way of doing it and I've raised a question here googleapis/google-api-go-client#1698.
Special notes for your reviewer
Does this PR introduce a user-facing change?