0

I am using google-cloud-tasks library to create tasks via a small python program. That program will be running inside a dataflow worker node. The default behaviour of the library is that it searches for credentials locally. But, if not found, it will call gcp metadata server to obtain the credentials ephimerally. Now, I have written a code where I am extracting the credential file from a secret manager and storing it inside the worker machine. This was done to ensure that same functionality is implemented but w/o the dependency on the metadata server. The function looks like this:

    if not os.environ.get("service_file", default=None):
    print("service file not found.")
    print("Creating one.")
    with open("/tmp/service_file.json", "w") as fp:
        json.dump(
            json.loads(
                access_secret_manager_data(
                    service_cred_url
                )
            ),
            fp
        )
    os.environ["service_file"] = "/tmp/service_file.json"
    # The code below sets the actual env variable in use.
    os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "/tmp/service_file.json"
    print(f"service file set. The location is: {os.environ['GOOGLE_APPLICATION_CREDENTIALS']}")
else:
    print(f"service file present. The location is: {os.environ['GOOGLE_APPLICATION_CREDENTIALS']}")

# Below is the code where the client searches for the env variable we set above.
task_client = tasks_v2.CloudTasksClient()
task_client.create_task(...)

My query: is there a way to check via test libraries whether the cloud task library is using the env variable I have set above? I am new to testing and hence need some guidance.

Any information will be helpful.

Aishwary Shukla
  • 450
  • 1
  • 7
  • 21
  • The code `tasks_v2.CloudTasksClient()` uses ADC (Application Default Credentials) to search for credentials. Instead, specify the service account JSON file (and do not use the environment variable) so that you know what is being selected. Suggestion 1: do not use service account JSON files. That is why the metadata server exists. Suggestion 2: study the source code for `CloudTasksClient()` to better understand how credentials can be specified and how they are found. – John Hanley Apr 17 '23 at 18:04

1 Answers1

2

Posting this as a community wiki to help other members that can encounter this issue.

As stated by @John Hanley:

The code tasks_v2.CloudTasksClient() uses ADC (Application Default Credentials) to search for credentials. Instead, specify the service account JSON file (and do not use the environment variable) so that you know what is being selected.

Suggestion 1: do not use service account JSON files. That is why the metadata server exists. Suggestion 2: study the source code for CloudTasksClient() to better understand how credentials can be specified and how they are found.

You may visit this documentation for more information.

Marc Anthony B
  • 3,635
  • 2
  • 4
  • 19