New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GCS Workflow Identity Federation Support for GHAs #752

Open

lindseynield opened this issue Feb 19, 2025 · 0 comments

Contributor

lindseynield commented Feb 19, 2025 •

edited

Loading

This may not be an explicit icechunk issue, but adding it here for general tracking purposes.

The google-github-actions/auth@v2 GitHub Action (https://github.com/google-github-actions/auth) returns credentials via a workload identity provider and are a external_account type: https://googleapis.dev/python/google-auth/latest/reference/google.auth.external_account.html

It seems like Icechunk (or more specifically object_store?) does not have support for this type of credential:

icechunk.IcechunkError: storage error: unknown storage error: Generic GCS error: Unable to decode service account file: unknown variant `external_account`, expected `service_account` or `authorized_user` at line 1 column 26
/opt/hostedtoolcache/Python/3.11.11/x64/lib/python3.11/site-packages/icechunk/storage.py:147: IcechunkError

There seem to be some already open issues related to supporting GCP WIF:
apache/arrow-rs#3797
pola-rs/polars#14076

It may be the case that this will need to be resolved in arrow-rs before we can use this type of GCS credential w/ Icechunk in GHAs.

The text was updated successfully, but these errors were encountered:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment