U k7g#E@sdZddlZddlZddlmZddlmZddlZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z dd lmZdd lmZd Zd Ze jdfd dZGddde je je jZGddde jZdS)aGoogle Cloud Impersonated credentials. This module provides authentication for applications where local credentials impersonates a remote service account using `IAM Credentials API`_. This class can be used to impersonate a service account as long as the original Credential object has the "Service Account Token Creator" role on the target service account. .. _IAM Credentials API: https://cloud.google.com/iam/credentials/reference/rest/ N)datetime)_exponential_backoff)_helpers) credentials) exceptions)iam)jwt)metricsz*Unable to acquire impersonated credentialsic Cs|ptjtj||}t|d}||d||d}t |j drR|j dn|j }|j t jkrptt|z,t|} | d} t| dd} | | fWSttfk r} ztdt|} | | W5d } ~ XYnXd S) aMakes a request to the Google Cloud IAM service for an access token. Args: request (Request): The Request object to use. principal (str): The principal to request an access token for. headers (Mapping[str, str]): Map of headers to transmit. body (Mapping[str, str]): JSON Payload body for the iamcredentials API call. iam_endpoint_override (Optiona[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. Raises: google.auth.exceptions.TransportError: Raised if there is an underlying HTTP connection error google.auth.exceptions.RefreshError: Raised if the impersonated credentials are not available. Common reasons are `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned utf-8POST)urlmethodheadersbodydecodeZ accessTokenZ expireTimez%Y-%m-%dT%H:%M:%SZz6{}: No access token or invalid expiration in response.N)rZ _IAM_ENDPOINTreplacerDEFAULT_UNIVERSE_DOMAINformatjsondumpsencodehasattrdatarstatus http_clientOKr RefreshError_REFRESH_ERRORloadsrstrptimeKeyError ValueError)request principalrruniverse_domainiam_endpoint_overrideZ iam_endpointresponseZ response_bodyZtoken_responsetokenexpiryZ caught_excnew_excr*H/tmp/pip-unpacked-wheel-x0z3pcuk/google/auth/impersonated_credentials.py_make_iam_token_request0s6      r,cseZdZdZdeddffdd ZddZee j ddZ d d Z d d Z ed dZeddZeddZeddZee j ddZddZee jddZee jdddZZS) CredentialsaThis module defines impersonated credentials which are essentially impersonated identities. Impersonated Credentials allows credentials issued to a user or service account to impersonate another. The target service account must grant the originating credential principal the `Service Account Token Creator`_ IAM role: For more information about Token Creator IAM role and IAMCredentials API, see `Creating Short-Lived Service Account Credentials`_. .. _Service Account Token Creator: https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role .. _Creating Short-Lived Service Account Credentials: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials Usage: First grant source_credentials the `Service Account Token Creator` role on the target account to impersonate. In this example, the service account represented by svc_account.json has the token creator role on `impersonated-account@_project_.iam.gserviceaccount.com`. Enable the IAMCredentials API on the source project: `gcloud services enable iamcredentials.googleapis.com`. Initialize a source credential which does not have access to list bucket:: from google.oauth2 import service_account target_scopes = [ 'https://www.googleapis.com/auth/devstorage.read_only'] source_credentials = ( service_account.Credentials.from_service_account_file( '/path/to/svc_account.json', scopes=target_scopes)) Now use the source credentials to acquire credentials to impersonate another service account:: from google.auth import impersonated_credentials target_credentials = impersonated_credentials.Credentials( source_credentials=source_credentials, target_principal='impersonated-account@_project_.iam.gserviceaccount.com', target_scopes = target_scopes, lifetime=500) Resource access is granted:: client = storage.Client(credentials=target_credentials) buckets = client.list_buckets(project='your_project') for bucket in buckets: print(bucket.name) Ncstt|t||_t|jtjrX|jt j |_t |jdrX|jj rX|j d|j|_||_||_||_|pxt|_d|_t|_||_||_d|_dS)aL Args: source_credentials (google.auth.Credentials): The source credential used as to acquire the impersonated credentials. target_principal (str): The service account to impersonate. target_scopes (Sequence[str]): Scopes to request during the authorization grant. delegates (Sequence[str]): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. lifetime (int): Number of seconds the delegated credential should be valid for (upto 3600). quota_project_id (Optional[str]): The project ID used for quota and billing. This project may be different from the project used to create the credentials. iam_endpoint_override (Optiona[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. _create_self_signed_jwtN)superr-__init__copy_source_credentials isinstancerScoped with_scopesrZ _IAM_SCOPErZ_always_use_jwt_accessr.r$Z_universe_domain_target_principal_target_scopes _delegates_DEFAULT_TOKEN_LIFETIME_SECS _lifetimer'rutcnowr(_quota_project_id_iam_endpoint_override_cred_file_path)selfZsource_credentialstarget_principal target_scopes delegateslifetimequota_project_idr% __class__r*r+r0s*&     zCredentials.__init__cCstjSN)r ZCRED_TYPE_SA_IMPERSONATEr?r*r*r+_metric_header_for_usagesz$Credentials._metric_header_for_usagecCs||dSrG) _update_token)r?r"r*r*r+refreshszCredentials.refreshcCs|jjtjjks |jjtjjkr,|j||j|jt |j dd}ddt j t i}|j|t||j|||j|jd\|_|_dS)zUpdates credentials with a new access_token representing the impersonated account. Args: request (google.auth.transport.requests.Request): Request object to use for refreshing credentials. s)rBZscoperC Content-Typeapplication/json)r"r#rrr$r%N)r2Z token_staterZ TokenStateZSTALEINVALIDrKr8r7strr:r API_CLIENT_HEADERZ&token_request_access_token_impersonateapplyr,r6r$r=r'r()r?r"rrr*r*r+rJs.    zCredentials._update_tokenc Csddlm}tjtj|j|j }t | d|j d}ddi}||j}zlt}|D]Z}|j|||d} | jtjkrq^| jtjkrtd| t | d WSW5|Xtd dS) NrAuthorizedSessionr )payloadrBrMrN)r rrzError calling sign_bytes: {}Z signedBlobz#exhausted signBlob endpoint retries)google.auth.transport.requestsrTrZ_IAM_SIGN_ENDPOINTrrrr$rr6base64 b64encoderr8r2closerZExponentialBackoffpost status_codeZIAM_RETRY_CODESrrrZTransportErrorr b64decode) r?messagerTiam_sign_endpointrrauthed_sessionretries_r&r*r*r+ sign_bytess:      zCredentials.sign_bytescCs|jSrGr6rHr*r*r+ signer_emailAszCredentials.signer_emailcCs|jSrGrcrHr*r*r+service_account_emailEsz!Credentials.service_account_emailcCs|SrGr*rHr*r*r+signerIszCredentials.signercCs|j SrG)r7rHr*r*r+requires_scopesMszCredentials.requires_scopescCs|jr|jd|jdSdS)Nzimpersonated credentials)Zcredential_sourceZcredential_typer#)r>r6rHr*r*r+ get_cred_infoQs zCredentials.get_cred_infoc Cs2|j|j|j|j|j|j|j|jd}|j|_|S)N)r@rArBrCrDr%) rFr2r6r7r8r:r<r=r>)r?credr*r*r+ _make_copy[s zCredentials._make_copycCs|}||_|SrG)rjr<)r?rDrir*r*r+with_quota_projecthszCredentials.with_quota_projectcCs|}|p||_|SrG)rjr7)r?ZscopesZdefault_scopesrir*r*r+r5ns zCredentials.with_scopes)N)__name__ __module__ __qualname____doc__r9r0rIrcopy_docstringrr-rKrJrbpropertyrdrerfrgrhrjCredentialsWithQuotaProjectrkr4r5 __classcell__r*r*rEr+r-ns4BC  '"         r-csdeZdZdZdfdd ZdddZdd Zd d Ze e j d d Z e e j ddZZS)IDTokenCredentialszAOpen ID Connect ID Token-based service account credentials. NFcs>tt|t|ts"td||_||_||_ ||_ dS)a Args: target_credentials (google.auth.Credentials): The target credential used as to acquire the id tokens for. target_audience (string): Audience to issue the token for. include_email (bool): Include email in IdToken quota_project_id (Optional[str]): The project ID used for quota and billing. z4Provided Credential must be impersonated_credentialsN) r/rtr0r3r-rZGoogleAuthError_target_credentials_target_audience_include_emailr<)r?target_credentialstarget_audience include_emailrDrEr*r+r0zs zIDTokenCredentials.__init__cCs|j|||j|jdSN)rxryrzrD)rFrwr<)r?rxryr*r*r+from_credentialss z#IDTokenCredentials.from_credentialscCs|j|j||j|jdSr{)rFrurwr<)r?ryr*r*r+with_target_audiences z'IDTokenCredentials.with_target_audiencecCs|j|j|j||jdSr{)rFrurvr<)r?rzr*r*r+with_include_emails z%IDTokenCredentials.with_include_emailcCs|j|j|j|j|dSr{)rFrurvrw)r?rDr*r*r+rks z%IDTokenCredentials.with_quota_projectc Csddlm}tjtj|jj |jj }|j |jj |j d}ddtjti}||jj|d}z |j||t|dd}W5|X|jtjkrtd ||d }||_ttj |d d d |_!dS)NrrS)ZaudiencerBZ includeEmailrMrN)Z auth_requestr )r rrzError getting ID token: {}r'F)verifyexp)"rVrTrZ_IAM_IDTOKEN_ENDPOINTrrrrur$rrdrvr8rwr rQZ"token_request_id_token_impersonater2rYrZrrrr[rrrrr'rutcfromtimestamprrr() r?r"rTr^rrr_r&Zid_tokenr*r*r+rKsH      zIDTokenCredentials.refresh)NFN)N)rlrmrnror0r|r}r~rrprrrrkr-rKrsr*r*rEr+rtus    rt)rorWr1r http.clientclientrrZ google.authrrrrrrr rr9rr,r4rrZSigningr-rtr*r*r*r+s2           >