allow multiple elements in impersonation chain (#35694)

apache · Nov 25, 2023 · e2a5dbf · e2a5dbf
1 parent 770f164
commit e2a5dbf
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 1 deletion.
diff --git a/airflow/providers/google/common/hooks/base_google.py b/airflow/providers/google/common/hooks/base_google.py
@@ -267,6 +267,8 @@ def get_credentials_and_project_id(self) -> tuple[google.auth.credentials.Creden
 
         if not self.impersonation_chain:
             self.impersonation_chain = self._get_field("impersonation_chain", None)
+            if isinstance(self.impersonation_chain, str) and "," in self.impersonation_chain:
+                self.impersonation_chain = [s.strip() for s in self.impersonation_chain.split(",")]
 
         target_principal, delegates = _get_target_principal_and_delegates(self.impersonation_chain)
 

diff --git a/docs/apache-airflow-providers-google/connections/gcp.rst b/docs/apache-airflow-providers-google/connections/gcp.rst
@@ -131,7 +131,7 @@ Impersonation Chain
     of the last account in the list, which will be impersonated in all requests leveraging this connection.
     If set as a string, the account must grant the originating account
     the Service Account Token Creator IAM role.
-    If set as a sequence, the identities from the list must grant
+    If set as a comma-separated list, the identities from the list must grant
     Service Account Token Creator IAM role to the directly preceding identity, with first
     account from the list granting this role to the originating account.
 

diff --git a/tests/providers/google/common/hooks/test_base_google.py b/tests/providers/google/common/hooks/test_base_google.py
@@ -683,6 +683,20 @@ def test_authorize_assert_http_timeout_is_present(self, mock_get_credentials):
                 ["ACCOUNT_2", "ACCOUNT_3"],
                 id="multiple_elements_list_with_override",
             ),
+            pytest.param(
+                None,
+                "ACCOUNT_1,ACCOUNT_2,ACCOUNT_3",
+                "ACCOUNT_3",
+                ["ACCOUNT_1", "ACCOUNT_2"],
+                id="multiple_elements_list_as_string",
+            ),
+            pytest.param(
+                None,
+                "ACCOUNT_1, ACCOUNT_2, ACCOUNT_3",
+                "ACCOUNT_3",
+                ["ACCOUNT_1", "ACCOUNT_2"],
+                id="multiple_elements_list_as_string_with_space",
+            ),
         ],
     )
     @mock.patch(MODULE_NAME + ".get_credentials_and_project_id")