-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[sdk] Invalid OAuth Scope error when uploading pipeline to Artifact Registry using Service Account Credentials #8878
Comments
Thanks for raising this @rodrigocaus . I was fighting this exact same issue earlier and managed to fix it by adding the scopes attribute to default() 🙌. Awesome timing and I keep digging to eventually get federated workload identity working too (feels great not having to share SA keys around) |
Hi @rodrigocaus, @tuliodesouza ! Thank you for reporting this. If you have a proposal, please submit a PR and request @connor-mccarthy and @chensun to review it. |
For anyone here with the exact same issue and use case. You can work around this by getting the credentials directly and feeding them into the client as an auth argument (though if you do this it wont work locally unless you set the env var)
I'm not sure if the scopes is needed though |
We faced same issue when using the stack Github Actions + Vertex AI + KFP v2. We were able to solve it by using Oauth2 token for authentication. In github workflow we get access token: - id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v1'
with:
token_format: access_token
workload_identity_provider: ....
service_account: .... We pass it to the step running the python code using by referring to The actual python code then is: from kfp.registry import RegistryClient, ApiAuth
client = RegistryClient(host=KFP_REGISTRY_URL, auth=ApiAuth(access_token))
template_name, version_name = client.upload_pipeline(
file_name="pipeline.yaml",
tags=["latest"],
) In case of using WIF and service accounts to provide Github actions access to GCP, it seems RegistryClient cannot use default Google credentials from current environment (unlike Vertex AI SDK). OAuth2 token needs to be provided explicitly. However, when one is authenticated using personal GCP-account and runs the Python script from localhost it seems it works without OAuth2 token. |
Thank you so much for this. We are facing same and your experience has helped us |
I'm facing the same problem. I'm receiving the errors
I tried changing kfp version to the latest, but the problem continued. What should I do? |
I would also like to bump this issue. In the case of google cloud, if KFP could authenticate with Google Artifact registry using KFP @dsl . It will be cleanest solution because during auth, it can check for the service account and it's permissions. Otherwise, the only other option left is to build your own custom docker container and use it as the base image for KFP |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Closing this issue, there is a workaround documented and it's platform specific. /close |
@rimolive: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The scopes are defined in registry context file. Additional scopes must be comma separated. Fixes kubeflow#8878. Previous PR kubeflow#8895 was approved, but tests failed and became stale. I fixed the tests, and confirmed it worked for my case. Using a GCP Service Account with RegistryClient no longer needs me to explicitly provide the required scopes.
The scopes are defined in registry context file. Additional scopes must be comma separated. Fixes kubeflow#8878. Previous PR kubeflow#8895 was approved, but tests failed and became stale. I fixed the tests, and confirmed it worked for my case. Using a GCP Service Account with RegistryClient no longer needs me to explicitly provide the required scopes. Signed-off-by: Pedro Chambino <pchambino@gmail.com>
…accounts credentials (#10819) The scopes are defined in registry context file. Additional scopes must be comma separated. Fixes #8878. Previous PR #8895 was approved, but tests failed and became stale. I fixed the tests, and confirmed it worked for my case. Using a GCP Service Account with RegistryClient no longer needs me to explicitly provide the required scopes. Signed-off-by: Pedro Chambino <pchambino@gmail.com>
I need to implement an automatic update flow of Artifact Registry's KFP pipelines. To push to a KFP registry, I need to authenticate with Google Cloud API using a Service Account (SA). The
kfp
SDK (v2 beta 12) does not infer default credentials with correct scope to do so.Environment
Steps to reproduce
https://us-central1-kfp.pkg.dev/test-project/kfp-repository
)GOOGLE_APPLICATION_CREDENTIALS
environment variable as/path/to/sa/credentials.json
RegistryClient
:The given pipeline is not pushed to Artifact Registry, and the program raises the error (some paths were omitted):
Expected result
The expected behavior is to push the pipeline to Artifact Registry, just like when using default user credentials.
Materials and Reference
The default behavior of
RegistryClient
when registry is hosted byArtifact Registry
is to infer the credentials from environment without any scope:Defining a default scope (using Google Auth library), as some Google SDK do, shoud fix this:
With:
Impacted by this bug? Give it a 👍.
The text was updated successfully, but these errors were encountered: