[SDK] Fix setting token file name #9150
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
elbamit
reviewed
Jan 4, 2026
Comment on lines
+651
to
+667
| if not config.auth_with_oauth_token.token_file: | ||
| user_token_file = os.path.expanduser("~/.igz.yml") | ||
|
|
||
| # runtimes | ||
| # TODO: change to os.getenv("MLRUN_RUNTIME_KIND") | ||
| # when https://github.com/mlrun/mlrun/pull/9121 is done. | ||
| if ( | ||
| mlrun.k8s_utils.is_running_inside_kubernetes_cluster() | ||
| and not os.environ.get("JPY_SESSION_NAME") | ||
| ): | ||
| user_token_file = os.path.join( | ||
| mlrun.common.constants.MLRUN_JOB_AUTH_SECRET_PATH, | ||
| mlrun.common.constants.MLRUN_JOB_AUTH_SECRET_FILE, | ||
| ) | ||
|
|
||
| config.auth_with_oauth_token.token_file = user_token_file | ||
|
|
Contributor
There was a problem hiding this comment.
If a user sets MLRUN_AUTH_WITH_OAUTH_TOKEN__TOKEN_FILE as an env var on the runtime, then he will override the /var/mlrun-secrets/auth/ that is supposed to be used for runtimes.
It's fine to leave it like this for now but once the os.getenv("MLRUN_RUNTIME_KIND") is introduced we'll need to block the user from setting this env var on a runtime
Member
Author
There was a problem hiding this comment.
indeed can be harmful if setting this envvar mistakenly - but that is the purpose of this PR - to allow overriding
elbamit
approved these changes
Jan 4, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
📝 Description
To ensure token file names can be explicitly set and (correctly) auto set for runtimes / local development it was required to remove the ~/.igz.yml from config.py and set it according to running env (k8s, jupyter, local).
This fixes Iguazio v4 OAuth token file auto-initialization to correctly distinguish between Kubernetes runtime environments and Jupyter environments. Previously, the token file was always overwritten to the k8s secret path when running inside Kubernetes, which broke authentication for Jupyter environments.
🛠️ Changes Made
JPY_SESSION_NAME) before overriding to k8s secret pathtoken_fileconfig from~/.igz.ymlto empty string, allowing dynamic initialization based on runtime contextsync_secret_tokensto reflect the new behavior✅ Checklist
🧪 Testing
🔗 References
🚨 Breaking Changes?
🔍️ Additional Notes