fix: validate email absence when generating id token

flamingo-run · May 2, 2024 · 9971411 · 9971411
1 parent 2a6d49a
commit 9971411
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/gcp_pilot/iam.py b/gcp_pilot/iam.py
@@ -212,9 +212,15 @@ def encode_jwt(self, payload: dict, service_account_email: str | None) -> str:
 
     @friendly_http_error
     def generate_id_token(self, audience: str, service_account_email: str | None = None) -> str:
+        email = service_account_email or self.service_account_email
+        if not email:
+            raise ValueError(
+                "You must either provide service_account_email or set GCP_SERVICE_ACCOUNT for impersonation."
+            )
+
         response = self.client.generate_id_token(
             name=self.client.service_account_path(
-                service_account=service_account_email or self.service_account_email,
+                service_account=email,
                 project="-",
             ),
             audience=audience,