Use workflow identity federation in composer

Author: ohrite

airflow/dags/deploy_dbt_docs/deploy_dbt_docs_site.yml

@@ -16,24 +16,18 @@ arguments:
 is_delete_operator_pod: true
 get_logs: true
 priority_class_name: dbt-high-priority
+service_account_name: composer-service-account
 
 env_vars:
   AIRFLOW_ENV: "{{ env_var('AIRFLOW_ENV') }}"
   GOOGLE_CLOUD_PROJECT: "{{ env_var('GOOGLE_CLOUD_PROJECT') }}"
-  BIGQUERY_KEYFILE_LOCATION: /secrets/jobs-data/service_account.json
   CALITP_BUCKET__DBT_ARTIFACTS: "{{ env_var('CALITP_BUCKET__DBT_ARTIFACTS') }}"
   CALITP_BUCKET__DBT_DOCS: "{{ env_var('CALITP_BUCKET__DBT_DOCS') }}"
   CALITP_BUCKET__PUBLISH: "{{ env_var('CALITP_BUCKET__PUBLISH') }}"
   DBT_PROJECT_DIR: /app
   DBT_PROFILE_DIR: /app
   DBT_TARGET: "{{ env_var('DBT_TARGET') }}"
 
-secrets:
-  - deploy_type: volume
-    deploy_target: /secrets/jobs-data/
-    secret: jobs-data
-    key: service-account.json
-
 tolerations:
   - key: pod-role
     operator: Equal

airflow/dags/parse_and_validate_rt_v2/parse_rt_service_alerts.yml

@@ -16,24 +16,18 @@ arguments:
 
 is_delete_operator_pod: true
 get_logs: true
+service_account_name: composer-service-account
 
 env_vars:
   CALITP_BUCKET__AIRTABLE: "{{ env_var('CALITP_BUCKET__AIRTABLE') }}"
   CALITP_BUCKET__GTFS_RT_RAW: "{{ env_var('CALITP_BUCKET__GTFS_RT_RAW') }}"
   CALITP_BUCKET__GTFS_RT_PARSED: "{{ env_var('CALITP_BUCKET__GTFS_RT_PARSED') }}"
   CALITP_BUCKET__GTFS_RT_VALIDATION: "{{ env_var('CALITP_BUCKET__GTFS_RT_VALIDATION') }}"
   CALITP_BUCKET__GTFS_SCHEDULE_RAW: "{{ env_var('CALITP_BUCKET__GTFS_SCHEDULE_RAW') }}"
-  GOOGLE_APPLICATION_CREDENTIALS: /secrets/jobs-data/service_account.json
   GRAAS_SERVER_URL: "{{ env_var('GRAAS_SERVER_URL') }}"
   SENTRY_DSN: "{{ env_var('SENTRY_DSN') }}"
   SENTRY_ENVIRONMENT: "{{ env_var('SENTRY_ENVIRONMENT') }}"
 
-secrets:
-  - deploy_type: volume
-    deploy_target: /secrets/jobs-data/
-    secret: jobs-data
-    key: service_account.json
-
 k8s_resources:
   request_memory: 2.0Gi
   request_cpu: 1

airflow/dags/parse_and_validate_rt_v2/parse_rt_trip_updates.yml

@@ -14,27 +14,20 @@ arguments:
   - "{{ execution_date.replace(minute=0, second=0).format('YYYY-MM-DDTHH:mm:ss') }}"
   - "--verbose"
 
-
 is_delete_operator_pod: true
 get_logs: true
+service_account_name: composer-service-account
 
 env_vars:
   CALITP_BUCKET__AIRTABLE: "{{ env_var('CALITP_BUCKET__AIRTABLE') }}"
   CALITP_BUCKET__GTFS_RT_RAW: "{{ env_var('CALITP_BUCKET__GTFS_RT_RAW') }}"
   CALITP_BUCKET__GTFS_RT_PARSED: "{{ env_var('CALITP_BUCKET__GTFS_RT_PARSED') }}"
   CALITP_BUCKET__GTFS_RT_VALIDATION: "{{ env_var('CALITP_BUCKET__GTFS_RT_VALIDATION') }}"
   CALITP_BUCKET__GTFS_SCHEDULE_RAW: "{{ env_var('CALITP_BUCKET__GTFS_SCHEDULE_RAW') }}"
-  GOOGLE_APPLICATION_CREDENTIALS: /secrets/jobs-data/service_account.json
   GRAAS_SERVER_URL: "{{ env_var('GRAAS_SERVER_URL') }}"
   SENTRY_DSN: "{{ env_var('SENTRY_DSN') }}"
   SENTRY_ENVIRONMENT: "{{ env_var('SENTRY_ENVIRONMENT') }}"
 
-secrets:
-  - deploy_type: volume
-    deploy_target: /secrets/jobs-data/
-    secret: jobs-data
-    key: service_account.json
-
 k8s_resources:
   request_memory: 2.0Gi
   request_cpu: 1
@@ -44,6 +37,7 @@ tolerations:
     operator: Equal
     value: computetask
     effect: NoSchedule
+
 affinity:
   nodeAffinity:
     requiredDuringSchedulingIgnoredDuringExecution:

airflow/dags/parse_and_validate_rt_v2/parse_rt_vehicle_positions.yml

@@ -16,24 +16,18 @@ arguments:
 
 is_delete_operator_pod: true
 get_logs: true
+service_account_name: composer-service-account
 
 env_vars:
   CALITP_BUCKET__AIRTABLE: "{{ env_var('CALITP_BUCKET__AIRTABLE') }}"
   CALITP_BUCKET__GTFS_RT_RAW: "{{ env_var('CALITP_BUCKET__GTFS_RT_RAW') }}"
   CALITP_BUCKET__GTFS_RT_PARSED: "{{ env_var('CALITP_BUCKET__GTFS_RT_PARSED') }}"
   CALITP_BUCKET__GTFS_RT_VALIDATION: "{{ env_var('CALITP_BUCKET__GTFS_RT_VALIDATION') }}"
   CALITP_BUCKET__GTFS_SCHEDULE_RAW: "{{ env_var('CALITP_BUCKET__GTFS_SCHEDULE_RAW') }}"
-  GOOGLE_APPLICATION_CREDENTIALS: /secrets/jobs-data/service_account.json
   GRAAS_SERVER_URL: "{{ env_var('GRAAS_SERVER_URL') }}"
   SENTRY_DSN: "{{ env_var('SENTRY_DSN') }}"
   SENTRY_ENVIRONMENT: "{{ env_var('SENTRY_ENVIRONMENT') }}"
 
-secrets:
-  - deploy_type: volume
-    deploy_target: /secrets/jobs-data/
-    secret: jobs-data
-    key: service_account.json
-
 k8s_resources:
   request_memory: 2.0Gi
   request_cpu: 1
@@ -43,6 +37,7 @@ tolerations:
     operator: Equal
     value: computetask
     effect: NoSchedule
+
 affinity:
   nodeAffinity:
     requiredDuringSchedulingIgnoredDuringExecution:

airflow/dags/parse_and_validate_rt_v2/validate_rt_service_alerts.yml

@@ -17,24 +17,18 @@ arguments:
 
 is_delete_operator_pod: true
 get_logs: true
+service_account_name: composer-service-account
 
 env_vars:
   CALITP_BUCKET__AIRTABLE: "{{ env_var('CALITP_BUCKET__AIRTABLE') }}"
   CALITP_BUCKET__GTFS_RT_RAW: "{{ env_var('CALITP_BUCKET__GTFS_RT_RAW') }}"
   CALITP_BUCKET__GTFS_RT_PARSED: "{{ env_var('CALITP_BUCKET__GTFS_RT_PARSED') }}"
   CALITP_BUCKET__GTFS_RT_VALIDATION: "{{ env_var('CALITP_BUCKET__GTFS_RT_VALIDATION') }}"
   CALITP_BUCKET__GTFS_SCHEDULE_RAW: "{{ env_var('CALITP_BUCKET__GTFS_SCHEDULE_RAW') }}"
-  GOOGLE_APPLICATION_CREDENTIALS: /secrets/jobs-data/service_account.json
   GRAAS_SERVER_URL: "{{ env_var('GRAAS_SERVER_URL') }}"
   SENTRY_DSN: "{{ env_var('SENTRY_DSN') }}"
   SENTRY_ENVIRONMENT: "{{ env_var('SENTRY_ENVIRONMENT') }}"
 
-secrets:
-  - deploy_type: volume
-    deploy_target: /secrets/jobs-data/
-    secret: jobs-data
-    key: service_account.json
-
 k8s_resources:
   request_memory: 5.0Gi
   request_cpu: 2

airflow/dags/parse_and_validate_rt_v2/validate_rt_trip_updates.yml

@@ -17,24 +17,18 @@ arguments:
 
 is_delete_operator_pod: true
 get_logs: true
+service_account_name: composer-service-account
 
 env_vars:
   CALITP_BUCKET__AIRTABLE: "{{ env_var('CALITP_BUCKET__AIRTABLE') }}"
   CALITP_BUCKET__GTFS_RT_RAW: "{{ env_var('CALITP_BUCKET__GTFS_RT_RAW') }}"
   CALITP_BUCKET__GTFS_RT_PARSED: "{{ env_var('CALITP_BUCKET__GTFS_RT_PARSED') }}"
   CALITP_BUCKET__GTFS_RT_VALIDATION: "{{ env_var('CALITP_BUCKET__GTFS_RT_VALIDATION') }}"
   CALITP_BUCKET__GTFS_SCHEDULE_RAW: "{{ env_var('CALITP_BUCKET__GTFS_SCHEDULE_RAW') }}"
-  GOOGLE_APPLICATION_CREDENTIALS: /secrets/jobs-data/service_account.json
   GRAAS_SERVER_URL: "{{ env_var('GRAAS_SERVER_URL') }}"
   SENTRY_DSN: "{{ env_var('SENTRY_DSN') }}"
   SENTRY_ENVIRONMENT: "{{ env_var('SENTRY_ENVIRONMENT') }}"
 
-secrets:
-  - deploy_type: volume
-    deploy_target: /secrets/jobs-data/
-    secret: jobs-data
-    key: service_account.json
-
 k8s_resources:
   request_memory: 5.0Gi
   request_cpu: 2

airflow/dags/parse_and_validate_rt_v2/validate_rt_vehicle_positions.yml

@@ -17,24 +17,18 @@ arguments:
 
 is_delete_operator_pod: true
 get_logs: true
+service_account_name: composer-service-account
 
 env_vars:
   CALITP_BUCKET__AIRTABLE: "{{ env_var('CALITP_BUCKET__AIRTABLE') }}"
   CALITP_BUCKET__GTFS_RT_RAW: "{{ env_var('CALITP_BUCKET__GTFS_RT_RAW') }}"
   CALITP_BUCKET__GTFS_RT_PARSED: "{{ env_var('CALITP_BUCKET__GTFS_RT_PARSED') }}"
   CALITP_BUCKET__GTFS_RT_VALIDATION: "{{ env_var('CALITP_BUCKET__GTFS_RT_VALIDATION') }}"
   CALITP_BUCKET__GTFS_SCHEDULE_RAW: "{{ env_var('CALITP_BUCKET__GTFS_SCHEDULE_RAW') }}"
-  GOOGLE_APPLICATION_CREDENTIALS: /secrets/jobs-data/service_account.json
   GRAAS_SERVER_URL: "{{ env_var('GRAAS_SERVER_URL') }}"
   SENTRY_DSN: "{{ env_var('SENTRY_DSN') }}"
   SENTRY_ENVIRONMENT: "{{ env_var('SENTRY_ENVIRONMENT') }}"
 
-secrets:
-  - deploy_type: volume
-    deploy_target: /secrets/jobs-data/
-    secret: jobs-data
-    key: service_account.json
-
 k8s_resources:
   request_memory: 5.0Gi
   request_cpu: 2

airflow/dags/publish_open_data/publish_california_open_data.yml

@@ -12,17 +12,13 @@ arguments:
 
 is_delete_operator_pod: true
 get_logs: true
+service_account_name: composer-service-account
 
 env_vars:
-  GOOGLE_APPLICATION_CREDENTIALS: /secrets/jobs-data/service_account.json
   CALITP_BUCKET__DBT_ARTIFACTS: "{{ env_var('CALITP_BUCKET__DBT_ARTIFACTS') }}"
   CALITP_BUCKET__PUBLISH: "{{ env_var('CALITP_BUCKET__PUBLISH') }}"
 
 secrets:
-  - deploy_type: volume
-    deploy_target: /secrets/jobs-data/
-    secret: jobs-data
-    key: service-account.json
   - deploy_type: env
     deploy_target: CALITP_CKAN_GTFS_SCHEDULE_KEY
     secret: jobs-data

airflow/dags/scrape_feed_aggregators/scrape_mobility_database.yml

@@ -11,16 +11,10 @@ arguments:
 
 is_delete_operator_pod: true
 get_logs: true
+service_account_name: composer-service-account
 
 env_vars:
   CALITP_BUCKET__AGGREGATOR_SCRAPER: "{{ env_var('CALITP_BUCKET__AGGREGATOR_SCRAPER') }}"
-  GOOGLE_APPLICATION_CREDENTIALS: /secrets/jobs-data/service_account.json
-
-secrets:
-  - deploy_type: volume
-    deploy_target: /secrets/jobs-data/
-    secret: jobs-data
-    key: service_account.json
 
 tolerations:
   - key: pod-role

airflow/dags/scrape_feed_aggregators/scrape_transitland.yml

@@ -11,20 +11,16 @@ arguments:
 
 is_delete_operator_pod: true
 get_logs: true
+service_account_name: composer-service-account
 
 env_vars:
   CALITP_BUCKET__AGGREGATOR_SCRAPER: "{{ env_var('CALITP_BUCKET__AGGREGATOR_SCRAPER') }}"
-  GOOGLE_APPLICATION_CREDENTIALS: /secrets/jobs-data/service_account.json
 
 secrets:
   - deploy_type: env
     deploy_target: TRANSITLAND_API_KEY
     secret: jobs-data
     key: transitland-api-key
-  - deploy_type: volume
-    deploy_target: /secrets/jobs-data/
-    secret: jobs-data
-    key: service_account.json
 
 tolerations:
   - key: pod-role