-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KFP SDK should support gcloud credential #1104
Comments
/cc @kevinbache |
For GCP IAP see here for how to obtain a JWT and attach it to the request. You can't use the gcloud credential e.g. This is by design because gcloud has a credential with cloud platform scope whereas with IAP a user is accessing web services separate from Google cloud. |
Update - |
Can you elaborate? Dose the client need to add |
We're already setting the header here: https://github.com/kubeflow/pipelines/blob/master/sdk/python/kfp/_client.py#L64 The Do we need to add something extra? |
The current implementation only supports auth from service account. In order to support auth from desktop, we will need to implement a flow which is similar with cloud sdk:
It seems not trivial to implement. Not sure if there is an easier way to support the whole flow. |
Isn't this what |
Is there any plan to add gcloud credential support for IAP endpoint? We are building a managed kubeflow cluster for multiple teams to use. It'll be super helpful if glcoud credential is supported for the IAP endpoint. OW, teams will have to download a service account key to connect kfp.Client, or we will need to grant them kubernetes engine developer role. If there's anything I can help please let me know. I'm happy to contribute! Thanks! |
/reopen Reopen the bug to support IAP auth token from desktop. The original fix can only support if user is in k8s developer role, which doesn't work for "managed kubeflow" use case. @daikeshi, the details on how to get auth token is in https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_a_desktop_app. Please refer to me previous comment on a rough idea on how to get it support in SDK. It seems non-trivial. |
@hongye-sun: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@hongye-sun thanks! It does seem complicated. I'll give a try and see how much I can help with :-) |
What does gcloud credential mean? Do you mean using gcloud auth print access-token? The access token generated by gcloud won't work with IAP enabled endpoints; this is by design. You can use IAP with end user credentials and don't need to use a service account. I think the way this works is the SDK should generate a JWT to attach to requests. To generate the JWT you direct the user through the OAuth web flow. |
It is supported in #2626. |
Allow users to specify the image for `step-move-all-results-to-tekton-home` step. Add an env variable for the custom image: `MOVERESULTS_IMAGE` in the api server. Signed-off-by: Yihong Wang <yh.wang@ibm.com> Signed-off-by: Yihong Wang <yh.wang@ibm.com>
This is required when user wants to talk to a remote KFP endpoint which is protected by IAP from a local environment.
The current support we have is to look for GCE service account credentials in the machine and send them to pass the IAP auth. We also need to support to use user's gcloud credential to support local command line experience.
The text was updated successfully, but these errors were encountered: