Skip to content

Add EE service account authentication #2334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add EE service account authentication #2334

wants to merge 2 commits into from
+15 −1

Conversation

@giswqs
Copy link
Member

@giswqs giswqs commented Nov 10, 2025

Fix #2234

This PR adds support for EE service account authentication via the EE_SERVICE_ACCOUNT environment variable, resolving the EE token expiration issue for EE web apps.

Copilot AI reviewed Nov 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for Earth Engine service account authentication via the EE_SERVICE_ACCOUNT environment variable, providing an alternative authentication method to the existing token-based and interactive authentication modes.

Key changes:

  • Adds service account authentication flow that parses JSON credentials from EE_SERVICE_ACCOUNT environment variable
  • Extracts client_email from the service account JSON and initializes Earth Engine with service account credentials
  • Positions this authentication method as the first priority in the authentication chain (checked before token-based auth)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

geemap/coreutils.py
try:
email = json.loads(key_data)["client_email"]
except json.JSONDecodeError as e:
raise ValueError(f"Invalid JSON for key_data: {e}")
Copy link

Copilot AI Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error message references key_data which is an internal variable name. For better user experience, consider referencing the environment variable name instead: "Invalid JSON in EE_SERVICE_ACCOUNT environment variable: {e}"

Suggested change
raise ValueError(f"Invalid JSON for key_data: {e}")
raise ValueError(f"Invalid JSON in EE_SERVICE_ACCOUNT environment variable: {e}")

Copilot uses AI. Check for mistakes.
geemap/coreutils.py
except json.JSONDecodeError as e:
raise ValueError(f"Invalid JSON for key_data: {e}")
except KeyError:
raise ValueError("key_data JSON does not contain 'client_email'")
Copy link

Copilot AI Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error message references key_data which is an internal variable name. For better user experience, consider referencing the environment variable name instead: "EE_SERVICE_ACCOUNT JSON does not contain 'client_email'"

Suggested change
raise ValueError("key_data JSON does not contain 'client_email'")
raise ValueError("EE_SERVICE_ACCOUNT JSON does not contain 'client_email'")

Copilot uses AI. Check for mistakes.
geemap/coreutils.py
except KeyError:
raise ValueError("key_data JSON does not contain 'client_email'")
credentials = ee.ServiceAccountCredentials(email=email, key_data=key_data)
ee.Initialize(credentials)
Copy link

Copilot AI Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ee.Initialize() call doesn't pass the **kwargs parameter, unlike the other authentication paths (e.g., line 106). This means users cannot pass additional parameters like opt_url for the High-Volume platform when using service account authentication. Consider changing to ee.Initialize(credentials, **kwargs) for consistency.

Suggested change
ee.Initialize(credentials)
ee.Initialize(credentials, **kwargs)

Copilot uses AI. Check for mistakes.
geemap/coreutils.py
Comment on lines +79 to +82
if get_env_var("EE_SERVICE_ACCOUNT") is not None:

key_data = get_env_var("EE_SERVICE_ACCOUNT")

Copy link

Copilot AI Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variable key_data is redundantly assigned. Line 79 already checks that get_env_var("EE_SERVICE_ACCOUNT") is not None, so the result can be stored directly without calling get_env_var again. Consider storing it in a variable on line 79 to avoid the duplicate call.

Suggested change
if get_env_var("EE_SERVICE_ACCOUNT") is not None:
key_data = get_env_var("EE_SERVICE_ACCOUNT")
key_data = get_env_var("EE_SERVICE_ACCOUNT")
if key_data is not None:

Copilot uses AI. Check for mistakes.
@github-actions
Copy link

github-actions bot commented Nov 10, 2025
edited
Loading

🚀 Deployed on https://691166cd8083308944e4697f--opengeos.netlify.app

@github-actions github-actions bot temporarily deployed to pull request November 10, 2025 04:13 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@schwehr schwehr Awaiting requested review from schwehr

@jdbcode jdbcode Awaiting requested review from jdbcode

@naschmitz naschmitz Awaiting requested review from naschmitz

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Check on token expiration - does EE client library not parse project ID correctly

2 participants

@giswqs