Airflow REST API Authentication

I am working on triggering airflow dags from retool using Airflow's REST API.

Currently I have the connection in Retool configured to use a Bearer Token. The issue is that Google Cloud Bearer tokens expire after an hour so this is not a long term solution. For our other Google cloud connections we use the service account but service account is not an option for the Retool REST API authentication.

@Retool it would be great if we could configure REST API connections with a service account but in the meantime does anyone have a work around for this?

Thanks!!

Noted as a feature request - thank you! I'll keep you updated with any news

Update! We now support calling Google Cloud functions from a service account We'll be gradually rolling this out to Cloud starting this week. Thank you all for your input here

@mdubois this feature should be available to all cloud customers now. When creating a Rest API resource, you can select Google Service Account as an authentication choice & provide the authentication json for the account. Please let us know if you run into any problem using it.

Hi @Harry_Doan ,
Thanks for releasing this feature! I was testing this REST API with Google Document AI API through a service account, and somehow I got error code 401.

I've pasted the private key JSON in the "Service account key" field, and my setup looks like this:

image571×663 30.9 KB

I've also granted the "Document AI Administrator " role to this service account.

image759×36 3.55 KB

Can you let me know if I've done anything wrong in this setup?

Hi @brianzjj, what does the "API Request" tab look like for your failed request? Also, I think you should remove the header (Authorization Bearer OAUTH2_TOKEN) because we're using service account here, not OAUTH

Hi @Harry_Doan ,

It looks like this:

image445×707 44.5 KB

I also tried removing the (Authorization Bearer OAUTH2_TOKEN ) but no luck.

Can you verify that you are able to connect to the API using the service account outside of Retool? e.g. with curl request

It's possible that Google Cloud Function and Google DocumentAI service requires different token. I'll also need to verify how it work with DocumentAI service on my end.

An alternative solution is that you can set up a resource using OAuth authentication. With this, people can authenticate to use the resource themselves. You can also use the option "Share credentials between users" to authenticate it once and let other people use the same credentials to access the resource

Hi @Harry_Doan ,
Yes, I confirm I am able to connect to the API using the service account with a curl request.

I've been using the OAuth authentication as a workaround for some time. It works well, but it would be ideal if we can auth via a service account instead.

Could you please look into it and let me know how to fix this?

Thanks.

@brianzjj Thank you for the update! Would you mind sharing how you're connecting to the API with service account & curl request? It'll be useful for me while looking into implementing this.

Hi @Harry_Doan ,

Essentially I made the curl request in Cloud Shell following the steps here (https://cloud.google.com/document-ai/docs/send-request#documentai_process_document-drest), after setting the account to my service account on Cloud Shell:

My request body is stored in a file 'request.json':

The curl request is as below:

curl -X POST \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Content-Type: application/json; charset=utf-8" \
    -d @request.json \
    "https://us-documentai.googleapis.com/v1/projects/{PROJECT_ID}/locations/us/processors/{PROCESSOR_ID}:process"

Hi @Harry_Doan ,

Following up on this - I've tried to use my service account to connect to the Google Cloud Storage resource and it worked fine. It might actually be that Google Document AI requires a different token. Please keep me posted on any progress!

Thanks,
Brian

@brianzjj Thank you for the info! I'll log this as an issue for Google Document AI and update you when it's being addressed!