Allow kfp Client to work with service account impersonation

[martinbomio]

What steps did you take:

Creating a Client from local environment when impersonating a GCP service account. Calling it with:

client = Client(host="some-host", client_id="iap-client-id", namespace="namespace")

What happened:

Following exception is thrown:

  File "/usr/local/lib/python3.6/dist-packages/kfp/_client.py", line 104, in __init__
    config = self._load_config(host, client_id, namespace, other_client_id, other_client_secret)
  File "/usr/local/lib/python3.6/dist-packages/kfp/_client.py", line 123, in _load_config
    token = get_auth_token(client_id, other_client_id, other_client_secret)
  File "/usr/local/lib/python3.6/dist-packages/kfp/_auth.py", line 54, in get_auth_token
    token = get_auth_token_from_sa(client_id)
  File "/usr/local/lib/python3.6/dist-packages/kfp/_auth.py", line 84, in get_auth_token_from_sa
    return get_google_open_id_connect_token(service_account_credentials)
  File "/usr/local/lib/python3.6/dist-packages/kfp/_auth.py", line 158, in get_google_open_id_connect_token
    request, OAUTH_TOKEN_URI, body)
  File "/usr/local/lib/python3.6/dist-packages/google/oauth2/_client.py", line 124, in _token_endpoint_request
    _handle_error_response(response_body)
  File "/usr/local/lib/python3.6/dist-packages/google/oauth2/_client.py", line 60, in _handle_error_response
    raise exceptions.RefreshError(error_details, response_body)
google.auth.exceptions.RefreshError: ('invalid_grant: Invalid JWT Signature.', '{"error":"invalid_grant","error_description":"Invalid JWT Signature."}')

What did you expect to happen:

The client should initialize correctly when impersonating service accounts

Environment:

How did you deploy Kubeflow Pipelines (KFP)?

KFP version:
kfp-server-api==0.1.40

KFP SDK version:
kfp==0.1.40

Anything else you would like to add:

Seems like the get_service_account_credentials function here does not handle the case where the credentials are google.auth.impersonated_credentials.Credentials

/kind bug

[martinbomio]

If this is something that would be desirable, I can try to contribute it.

[Bobgy]

Thanks @martinbomio! That sounds useful.
You might be interested to take a look at #4683 first, maybe you can add the new authentication method as a more decoupled interface.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it.

[mattnworb]

/reopen

I believe this is still an issue

[google-oss-robot]

@mattnworb: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

I believe this is still an issue

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.