[iris] Fix SSH OS Login to use impersonation SA from config#4399
[iris] Fix SSH OS Login to use impersonation SA from config#4399
Conversation
…account ssh_key_file() was called without the impersonation SA in workers.py, causing OS Login registration to fail for users authenticating via a personal Google account. Now falls back to ssh_config.impersonate_service_account when no explicit SA is passed. Also surfaces gcloud stderr on failure instead of swallowing it.
|
Claude finished @rjpower's task in 59s —— View job PR Review
Verdict: Looks good ✅ This is a clean, well-scoped fix. Two changes:
The test updates are consistent: mocks now return One minor observation: the |
ssh_key_file() in workers.py was called without the impersonation service account, so OS Login key registration ran as the user's personal Google account and failed with an IAM permission error. Now ssh_key_file() falls back to ssh_config.impersonate_service_account when no explicit SA is passed. Also surfaces the gcloud stderr in the error message instead of swallowing it behind capture_output.
ssh_key_file() in workers.py was called without the impersonation service
account, so OS Login key registration ran as the user's personal Google
account and failed with an IAM permission error. Now ssh_key_file() falls
back to ssh_config.impersonate_service_account when no explicit SA is
passed. Also surfaces the gcloud stderr in the error message instead of
swallowing it behind capture_output.