Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

google.oauth2.service_account.Credential objects are not pickleable if cryptography is installed #1383

Closed
andrewsg opened this issue Sep 18, 2023 · 3 comments · Fixed by #1394 or #1395
Closed

google.oauth2.service_account.Credential objects are not pickleable if cryptography is installed #1383

andrewsg opened this issue Sep 18, 2023 · 3 comments · Fixed by #1394 or #1395
Assignees
@clundin25

Comments

@andrewsg
Copy link
Contributor

Environment details

  • OS: MacOS 13.5.2
  • Python version: 3.9
  • pip version: 23.1.2
  • google-auth version: 2.22.0

Steps to reproduce

Install cryptography

Run:

import pickle
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file("credentials.json")

pickle.dumps(credentials)

The object in question seems to be credentials._signer which is either a pickleable pure Python object if cryptography is not installed, or else an unpickleable google.auth.crypt._cryptography_rsa.RSASigner if it is. Specifically, the signer._key object is of type cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey.

This conversation on SO seems related: https://stackoverflow.com/questions/39321606/cant-pickle-an-rsa-key-to-send-over-a-socket

This is impacting the Storage SDK's multiprocessing capability: googleapis/python-storage#1116 despite efforts to work around it.
@clundin25 clundin25 self-assigned this Sep 18, 2023
@clundin25
Copy link
Contributor

I'm not sure how this should be implemented.. Any object that is pickled would need to reconstruct the signer object to work, which requires the key's PEM file. Put another way, it seems to me that the the object needs to be recreated each time.

@arithmetic1728 @sai-sunder-s what do you think?

The base OAuth2.0 credential object does support pickling https://github.com/googleapis/google-auth-library-python/blob/main/google/oauth2/credentials.py#L156.

@clundin25
Copy link
Contributor

Maybe we could store a buffer of the key's bytes, and then recreate the signer that way?

@arithmetic1728
Copy link
Contributor

@clundin25 yes I think we could store the key bytes and recreate the signer

@andrewsg andrewsg mentioned this issue Oct 5, 2023
Merged
gcf-merge-on-green bot pushed a commit that referenced this issue Oct 5, 2023
@andrewsg
fix: Serialize signer keys on __getstate__ for pickling (#1394)
8b783b9 
Fixes #1383
@release-please release-please bot mentioned this issue Oct 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@clundin25 clundin25

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Serialize signer keys on __getstate__ for pickling andrewsg/google-auth-library-python
chore(main): release 2.23.3 googleapis/google-auth-library-python
3 participants
@andrewsg @arithmetic1728 @clundin25