chore: Fallback to inputs if impersonation fails (#52052)

tomasfarias · web-flow · commit eeee7bb0e439 · 2026-03-24T11:37:06.000+01:00
diff --git a/posthog/models/integration.py b/posthog/models/integration.py
@@ -1189,15 +1189,6 @@ def integration_from_service_account(
         token_uri: str | None = None,
         created_by: User | None = None,
     ) -> Integration:
-        sensitive_config = {}
-
-        is_impersonated = True
-        if isinstance(private_key, str) and isinstance(private_key_id, str) and isinstance(token_uri, str):
-            sensitive_config["private_key"] = private_key
-            sensitive_config["private_key_id"] = private_key_id
-            sensitive_config["token_uri"] = token_uri
-            is_impersonated = False
-
         # Do not allow the same project_id in multiple organizations
         same_service_account_integrations = Integration.objects.select_related("team__organization").filter(
             kind="google-cloud-service-account", config__service_account_email=service_account_email
@@ -1206,6 +1197,15 @@ def integration_from_service_account(
             if str(integration.team.organization.id) != str(organization_id):
                 raise ValidationError("Cannot create Google Cloud service account integration: Invalid service account")
 
+        sensitive_config = {}
+        is_impersonated = True
+        if isinstance(private_key, str) and isinstance(private_key_id, str) and isinstance(token_uri, str):
+            sensitive_config["private_key"] = private_key
+            sensitive_config["private_key_id"] = private_key_id
+            sensitive_config["token_uri"] = token_uri
+
+            is_impersonated = False
+
         variant = "impersonated" if is_impersonated else "key-file"
 
         integration, _ = Integration.objects.update_or_create(
diff --git a/products/batch_exports/backend/temporal/destinations/bigquery_batch_export.py b/products/batch_exports/backend/temporal/destinations/bigquery_batch_export.py
@@ -1338,7 +1338,22 @@ async def insert_into_bigquery_activity_from_stage(inputs: BigQueryInsertInputs)
                     google_cloud_integration.service_account_email, inputs.team_id
                 )
                 await ensure_our_google_cloud_credentials_are_valid()
-            bq_client = BigQueryClient.from_service_account_integration(google_cloud_integration)
+            try:
+                bq_client = BigQueryClient.from_service_account_integration(google_cloud_integration)
+            except Exception:
+                LOGGER.exception("Initialize client from service account failed")
+                # TODO: Migrate everyone and remove this
+                if (
+                    inputs.private_key is None
+                    or inputs.private_key_id is None
+                    or inputs.token_uri is None
+                    or inputs.client_email is None
+                ):
+                    # We cannot fallback to using inputs
+                    raise
+                bq_client = BigQueryClient.from_service_account_inputs(
+                    inputs.private_key, inputs.private_key_id, inputs.token_uri, inputs.client_email, project_id
+                )
 
         else:
             # TODO: Migrate everyone and remove this
