[auth|batch|aiogoogle] Favor latent credentials over specifying /gsa-key/key.json in application code (#13596)

This is mostly cleanup reducing the amount of the codebase that depends
on GSA key files (which are not available in terra or a future keyless
hail-vdc). The core bit is instead of threading
`credentials_file="/gsa-key/key.json` through the batch and auth
codebase we set `GOOGLE_APPLICATION_CREDENTIALS` in their deployments. I
can't think of a scenario where `auth` or `batch` would need to use
multiple identities so better to remove their ability to do so and
always use the default credentials.

I also did a bit of tidying up, using `$GOOGLE_APPLICATION_CREDENTIALS`
instead of the hard-coded path and removing the credentials endpoints on
the batch-driver which have been unused by workers for many months now.

Author: daniel-goldstein

auth/deployment.yaml

@@ -45,6 +45,8 @@ spec:
             value: "{{ default_ns.name }}"
           - name: HAIL_DEPLOY_CONFIG_FILE
             value: /deploy-config/deploy-config.json
+          - name: GOOGLE_APPLICATION_CREDENTIALS
+            value: /gsa-key/key.json
           - name: HAIL_DOMAIN
             valueFrom:
               secretKeyRef:

batch/batch/cloud/azure/driver/driver.py

@@ -28,7 +28,6 @@ async def create(
         machine_name_prefix: str,
         namespace: str,
         inst_coll_configs: InstanceCollectionConfigs,
-        credentials_file: str,
         task_manager: aiotools.BackgroundTaskManager,  # BORROWED
     ) -> 'AzureDriver':
         azure_config = get_azure_config()
@@ -56,12 +55,10 @@ async def create(
         with open(os.environ['HAIL_SSH_PUBLIC_KEY'], encoding='utf-8') as f:
             ssh_public_key = f.read()
 
-        arm_client = aioazure.AzureResourceManagerClient(
-            subscription_id, resource_group, credentials_file=credentials_file
-        )
-        compute_client = aioazure.AzureComputeClient(subscription_id, resource_group, credentials_file=credentials_file)
-        resources_client = aioazure.AzureResourcesClient(subscription_id, credentials_file=credentials_file)
-        network_client = aioazure.AzureNetworkClient(subscription_id, resource_group, credentials_file=credentials_file)
+        arm_client = aioazure.AzureResourceManagerClient(subscription_id, resource_group)
+        compute_client = aioazure.AzureComputeClient(subscription_id, resource_group)
+        resources_client = aioazure.AzureResourcesClient(subscription_id)
+        network_client = aioazure.AzureNetworkClient(subscription_id, resource_group)
         pricing_client = aioazure.AzurePricingClient()
 
         region_monitor = await RegionMonitor.create(region)

batch/batch/cloud/driver.py

@@ -14,17 +14,12 @@ async def get_cloud_driver(
     machine_name_prefix: str,
     namespace: str,
     inst_coll_configs: InstanceCollectionConfigs,
-    credentials_file: str,
     task_manager: aiotools.BackgroundTaskManager,
 ) -> CloudDriver:
     cloud = get_global_config()['cloud']
 
     if cloud == 'azure':
-        return await AzureDriver.create(
-            app, db, machine_name_prefix, namespace, inst_coll_configs, credentials_file, task_manager
-        )
+        return await AzureDriver.create(app, db, machine_name_prefix, namespace, inst_coll_configs, task_manager)
 
     assert cloud == 'gcp', cloud
-    return await GCPDriver.create(
-        app, db, machine_name_prefix, namespace, inst_coll_configs, credentials_file, task_manager
-    )
+    return await GCPDriver.create(app, db, machine_name_prefix, namespace, inst_coll_configs, task_manager)

batch/batch/cloud/gcp/driver/billing_manager.py

@@ -12,8 +12,8 @@
 
 class GCPBillingManager(CloudBillingManager):
     @staticmethod
-    async def create(db: Database, credentials_file: str, regions: List[str]):
-        billing_client = aiogoogle.GoogleBillingClient(credentials_file=credentials_file)
+    async def create(db: Database, regions: List[str]):
+        billing_client = aiogoogle.GoogleBillingClient()
         product_versions_dict = await refresh_product_versions_from_db(db)
         bm = GCPBillingManager(db, product_versions_dict, billing_client, regions)
         await bm.refresh_resources()

batch/batch/cloud/gcp/driver/driver.py

@@ -25,7 +25,6 @@ async def create(
         machine_name_prefix: str,
         namespace: str,
         inst_coll_configs: InstanceCollectionConfigs,
-        credentials_file: str,
         task_manager: aiotools.BackgroundTaskManager,  # BORROWED
     ) -> 'GCPDriver':
         gcp_config = get_gcp_config()
@@ -50,10 +49,9 @@ async def create(
         assert max(db_regions.values()) < 64, str(db_regions)
         app['regions'] = db_regions
 
-        compute_client = aiogoogle.GoogleComputeClient(project, credentials_file=credentials_file)
+        compute_client = aiogoogle.GoogleComputeClient(project)
 
         activity_logs_client = aiogoogle.GoogleLoggingClient(
-            credentials_file=credentials_file,
             # The project-wide logging quota is 60 request/m.  The event
             # loop sleeps 15s per iteration, so the max rate is 4
             # iterations/m.  Note, the event loop could make multiple
@@ -65,7 +63,7 @@ async def create(
         )
 
         zone_monitor = await ZoneMonitor.create(compute_client, regions, zone)
-        billing_manager = await GCPBillingManager.create(db, credentials_file, regions)
+        billing_manager = await GCPBillingManager.create(db, regions)
         inst_coll_manager = InstanceCollectionManager(db, machine_name_prefix, zone_monitor, region, regions)
         resource_manager = GCPResourceManager(project, compute_client, billing_manager)
 

batch/batch/driver/main.py

@@ -242,22 +242,6 @@ async def delete_batch(request):
     return web.Response()
 
 
-# deprecated
-async def get_gsa_key_1(instance):
-    log.info(f'returning gsa-key to activating instance {instance}')
-    with open('/gsa-key/key.json', 'r', encoding='utf-8') as f:
-        key = json.loads(f.read())
-    return json_response({'key': key})
-
-
-async def get_credentials_1(instance):
-    log.info(f'returning {instance.inst_coll.cloud} credentials to activating instance {instance}')
-    credentials_file = '/gsa-key/key.json'
-    with open(credentials_file, 'r', encoding='utf-8') as f:
-        key = json.loads(f.read())
-    return json_response({'key': key})
-
-
 async def activate_instance_1(request, instance):
     body = await json_request(request)
     ip_address = body['ip_address']
@@ -270,20 +254,6 @@ async def activate_instance_1(request, instance):
     return json_response({'token': token})
 
 
-# deprecated
-@routes.get('/api/v1alpha/instances/gsa_key')
-@activating_instances_only
-async def get_gsa_key(_, instance: Instance) -> web.Response:
-    return await asyncio.shield(get_gsa_key_1(instance))
-
-
-# deprecated
-@routes.get('/api/v1alpha/instances/credentials')
-@activating_instances_only
-async def get_credentials(_, instance: Instance) -> web.Response:
-    return await asyncio.shield(get_credentials_1(instance))
-
-
 @routes.post('/api/v1alpha/instances/activate')
 @activating_instances_only
 @add_metadata_to_request
@@ -1618,9 +1588,8 @@ async def on_startup(app):
 
     inst_coll_configs = await InstanceCollectionConfigs.create(db)
 
-    credentials_file = '/gsa-key/key.json'
     app['driver'] = await get_cloud_driver(
-        app, db, MACHINE_NAME_PREFIX, DEFAULT_NAMESPACE, inst_coll_configs, credentials_file, task_manager
+        app, db, MACHINE_NAME_PREFIX, DEFAULT_NAMESPACE, inst_coll_configs, task_manager
     )
 
     app['canceller'] = await Canceller.create(app)

batch/deployment.yaml

@@ -175,6 +175,8 @@ spec:
         env:
          - name: PORT
            value: "5000"
+         - name: GOOGLE_APPLICATION_CREDENTIALS
+           value: /gsa-key/key.json
          - name: HAIL_DOMAIN
            valueFrom:
              secretKeyRef:
@@ -403,6 +405,8 @@ spec:
              secretKeyRef:
                name: global-config
                key: internal_ip
+         - name: GOOGLE_APPLICATION_CREDENTIALS
+           value: /gsa-key/key.json
          - name: HAIL_SHA
            value: "{{ code.sha }}"
 {% if scope != "test" %}

build.yaml

@@ -536,6 +536,8 @@ steps:
       set -ex
       export HAIL_DEFAULT_NAMESPACE={{ default_ns.name }}
       export HAIL_SCOPE={{ scope }}
+      export GOOGLE_APPLICATION_CREDENTIALS=/auth-gsa-key/key.json
+
       python3 /io/bootstrap_create_accounts.py
     serviceAccount:
       name: admin

ci/bootstrap_create_accounts.py

@@ -96,7 +96,7 @@ async def main():
     try:
         app['k8s_client'] = k8s_client
 
-        app['identity_client'] = get_identity_client(credentials_file='/auth-gsa-key/key.json')
+        app['identity_client'] = get_identity_client()
 
         for username, login_id, is_developer, is_service_account in users:
             user_id = await insert_user_if_not_exists(app, username, login_id, is_developer, is_service_account)

datasets/extract/extract_CADD.py

@@ -24,7 +24,7 @@
 
     j = batch.new_job(name=f"{name}_{version}_{build}")
     j.image("gcr.io/broad-ctsa/datasets:050521")
-    j.command("gcloud -q auth activate-service-account --key-file=/gsa-key/key.json")
+    j.command("gcloud -q auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS")
     j.command(f"wget -c -O - {snvs_url} {indels_url} | "
               "zcat | "
               "grep -v '^#' | "