Added details for creating tokens with a service account inside of GC…#22
Added details for creating tokens with a service account inside of GC…#22ravimbhatt wants to merge 1 commit intogoogleapis:mainfrom
Conversation
|
🤖 I detect that the PR title and the commit message differ and there's only one commit. To use the PR title for the commit history, you can use Github's automerge feature with squashing, or use -- conventional-commit-lint bot |
|
|
||
| The second alternative offers a solution for non-Java Kafka clients, but requires you to set up a local authentication server. This server's role is to securely exchange your application's default credentials with the Kafka client, enabling authentication and authorization for accessing the Kafka cluster. | ||
|
|
||
| The third alternative offers a solution for non-Java kafka clients where your client is running inside of a GCP environment with a service account that has `Managed Kafka Client` role attached to it. It is appicable in situations where you cannot create a service account key which leaves you with using `OAUTHBEARER` as the only option. This option utilizes [AbstractTokenProvider](https://github.com/dpkp/kafka-python/blob/master/kafka/oauth/abstract.py). |
There was a problem hiding this comment.
This solution is just for Python. I'd change "a solution for non-Java kafka clients" with "a solution for python kafka clients".
|
|
||
| The second alternative offers a solution for non-Java Kafka clients, but requires you to set up a local authentication server. This server's role is to securely exchange your application's default credentials with the Kafka client, enabling authentication and authorization for accessing the Kafka cluster. | ||
|
|
||
| The third alternative offers a solution for non-Java kafka clients where your client is running inside of a GCP environment with a service account that has `Managed Kafka Client` role attached to it. It is appicable in situations where you cannot create a service account key which leaves you with using `OAUTHBEARER` as the only option. This option utilizes [AbstractTokenProvider](https://github.com/dpkp/kafka-python/blob/master/kafka/oauth/abstract.py). |
There was a problem hiding this comment.
This "GCP environment with a service account that has Managed Kafka Client role attached to it" is not necessarily true. One can run gcloud aut and then gcloud config set auth/impersonate_service_account SERVICE_ACCT_EMAIL and have the local code authenticate with GMK from a non GCP environment.
|
|
||
| class MyTokenProvider(AbstractTokenProvider): | ||
|
|
||
| #include kafka_gcp_credentials_server.py content without the local server parts and build_message() method. |
There was a problem hiding this comment.
I do not like this, I'd prefer if you break kafka_gcp_credentials_server.py in two modules so the logic to get_kafka_access_token is encapsulated in a module that one can include here.
…P environments.
Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:
🛠️ Fixes #<issue_number_goes_here>