Add Impersonate Service Account argument#2015
Open
wintermi wants to merge 50 commits intodataform-co:mainfrom
Open
Add Impersonate Service Account argument#2015wintermi wants to merge 50 commits intodataform-co:mainfrom
wintermi wants to merge 50 commits intodataform-co:mainfrom
Conversation
…st' commands and the required changes to allow for the impersonation of service accounts without the need to change ADC
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
+1, this would enable to use impersonation in CI rather than giving the rights directly to the CI service account. |
Contributor
|
/gcbrun |
Contributor
kolina
requested changes
Nov 13, 2025
cli/api/dbadapters/bigquery.ts
Outdated
| clientConfig.authClient = new Impersonated({ | ||
| sourceClient: authClient, | ||
| targetPrincipal: this.bigQueryCredentials.impersonateServiceAccount, | ||
| targetScopes: ['https://www.googleapis.com/auth/cloud-platform'] |
Author
There was a problem hiding this comment.
Not sure what you would like done here?
Contributor
There was a problem hiding this comment.
I mean using EXTRA_GOOGLE_SCOPES here instead of hard-coding
Contributor
|
@wintermi, in the current version tests are failing due to linter checks: output You can check errors using this lint script. |
Resolved conflicts: - cli/index.ts: Kept both impersonate-service-account option (fork feature) and job-labels option (upstream feature) - package.json: Updated glob to ^10.5.0, kept google-auth-library dependency - yarn.lock: Regenerated with updated dependencies
Author
|
Resynced the PR with the latest commit |
Author
Fixed the linter issues |
Author
|
@kolina ready for retesting, thanks |
Contributor
|
/gcbrun |
kolina
reviewed
Jan 7, 2026
cli/api/dbadapters/bigquery.ts
Outdated
| clientConfig.authClient = new Impersonated({ | ||
| sourceClient: authClient, | ||
| targetPrincipal: this.bigQueryCredentials.impersonateServiceAccount, | ||
| targetScopes: ['https://www.googleapis.com/auth/cloud-platform'] |
Contributor
There was a problem hiding this comment.
I mean using EXTRA_GOOGLE_SCOPES here instead of hard-coding
| } | ||
|
|
||
| private getClient(projectId?: string) { | ||
| private async getClient(projectId?: string) { |
Contributor
There was a problem hiding this comment.
In #2001 @ashish10alex added support for impersonating a service account through ADC. Will it be enough for your use case or you need an explicit option as well?
If the latter, can you please validate manually that it works?
* add custom_attributes struct to metadata & incremental table tests * fix incremental table tests & add view & table test * change custom_attributes to extra_properties
* Proto changes for unit tests definition * Added property that allows disabling unit tests
…empty (dataform-co#2082) * Added logic to fail test compilation if test SQL or expected SQL are empty * Addressed PR comments * Fix pr comments
Bumps [vm2](https://github.com/patriksimek/vm2) from 3.9.19 to 3.10.2. - [Release notes](https://github.com/patriksimek/vm2/releases) - [Commits](patriksimek/vm2@3.9.19...v3.10.2) --- updated-dependencies: - dependency-name: vm2 dependency-version: 3.10.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [diff](https://github.com/kpdecker/jsdiff) from 4.0.2 to 8.0.3. - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v4.0.2...v8.0.3) --- updated-dependencies: - dependency-name: diff dependency-version: 8.0.3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
JS API for JiT compilation actions definition (mutually exclusive with AoT properties) and JiT context/result typings.
Implementation of context objects accessible at JiT compilation stage for supported action types. They expose access to adapter/data and context methods, equivalent to AoT context, but with a more restrictive selection of resolvable targets.
Add file_paths field to pass accessible file paths at JiT compilation stage.
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [diff](https://github.com/kpdecker/jsdiff) from 3.5.0 to 8.0.3. - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v3.5.0...v8.0.3) --- updated-dependencies: - dependency-name: diff dependency-version: 8.0.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* JiT Contexts - Add original request & simplify constructor Simplify constructor by explicitly passing and exposing the orignal compilation request (which already contains most of required data). * JiT compilation stage implementation Implement JiT compilation stage in Core: - a new entry point jitCompiler(rpcCallback), which instantiates a single compile method, performing a compilation against a supplied RPC implementation. - table/operations/incremental table context(s) construction and invocation of the JiT code.
* Support both 'yaml' and 'yml' file extensions We can support both formats in Dataform. Native configurations are stored in YAML format, but other configurations eg. from extensions might use YML too. * Support both 'yaml' and 'yml' file extensions We can support both formats in Dataform. Native configurations are stored in YAML format, but other configurations eg. from extensions might use YML too. * Support both 'yaml' and 'yml' file extensions We can support both formats in Dataform. Native configurations are stored in YAML format, but other configurations eg. from extensions might use YML too. * Reorganize imports in compilers_test.ts
dataform-co#2095) Some extensions might use different configuration files, this will allow them to proceed when workflow_settings.yaml is missing.
Bumps [webpack](https://github.com/webpack/webpack) from 5.94.0 to 5.104.1. - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](webpack/webpack@v5.94.0...v5.104.1) --- updated-dependencies: - dependency-name: webpack dependency-version: 5.104.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [rollup](https://github.com/rollup/rollup) from 2.79.2 to 2.80.0. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/v2.80.0/CHANGELOG.md) - [Commits](rollup/rollup@v2.79.2...v2.80.0) --- updated-dependencies: - dependency-name: rollup dependency-version: 2.80.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [underscore](https://github.com/jashkenas/underscore) from 1.13.1 to 1.13.8. - [Commits](jashkenas/underscore@1.13.1...1.13.8) --- updated-dependencies: - dependency-name: underscore dependency-version: 1.13.8 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…taform Core and identify bottlenecks (dataform-co#2100) * feat: add --verbose argument to expose steps in stateless installation * chore: make verbose and quiet flags mutually exclusive * feat: use performance timing in node to avoid system clock issues * chore: do not export print * refactor: remove redundant double check * chore: print should pipe to stderr
* feat: Add BigQuery reservation configuration for projects and individual actions. * lint Signed-off-by: Max Ostapenko <1611259+max-ostapenko@users.noreply.github.com> * refactor: rename `bigqueryReservation` to `reservation` across configurations, protos, and related code Signed-off-by: Max Ostapenko <1611259+max-ostapenko@users.noreply.github.com> * docs: clarify BigQuery reservation fallback behavior in protos and CLI Signed-off-by: Max Ostapenko <1611259+max-ostapenko@users.noreply.github.com> * refactor: update default reservation test constant and expand project config assertions Signed-off-by: Max Ostapenko <1611259+max-ostapenko@users.noreply.github.com> * fix test reservation name Signed-off-by: Max Ostapenko <1611259+max-ostapenko@users.noreply.github.com> * added documentation for BigQuery reservation configuration Signed-off-by: Max Ostapenko <1611259+max-ostapenko@users.noreply.github.com> * fix project name Signed-off-by: Max Ostapenko <1611259+max-ostapenko@users.noreply.github.com> * fix reservation location Signed-off-by: Max Ostapenko <1611259+max-ostapenko@users.noreply.github.com> * Add reservation to a profile schema Signed-off-by: Max Ostapenko <1611259+max-ostapenko@users.noreply.github.com> * revert reservation attribute Signed-off-by: Max Ostapenko <1611259+max-ostapenko@users.noreply.github.com> * Note support status --------- Signed-off-by: Max Ostapenko <1611259+max-ostapenko@users.noreply.github.com>
…o#2106) * refactor: split index_test.ts into specialized test files * refactor: decompose monolithic cli/index_test.ts into modular components - Extract shared test utilities into cli/index_test_base.ts - Create dedicated test files for help, init, project, compile, and run commands - Update cli/BUILD to reflect the new modular test structure
Instead of exposing a proto struct, returning (mostly) the same object that got passed in the original key at definition.
- Enhance error coercion in common/errors/errors.ts - Sync protos/execution.proto and protos/jit.proto with new fields
…st' commands and the required changes to allow for the impersonation of service accounts without the need to change ADC
Resolve conflicts in bigquery adapter imports and getClient method (kept double-quote style and correct indentation), and remove duplicate impersonateServiceAccountOption definition in CLI. Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds an
--impersonate-service-accountargument to therunandtestcommands, along with the required changes to allow for the impersonation of service accounts without the need to change ADC or callgcloudThis would resolve issue #2000 and would be an alternative to solution than PR #2001
Impersonation could then be achieved by executing: