ha6dZddlZddlZddlmZddlmZddlZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z dd lmZdd lmZdd lmZd Zd ZdZdZdZdZe jdfdZGdde je je jZGdde jZgfdZdS)aGoogle Cloud Impersonated credentials. This module provides authentication for applications where local credentials impersonates a remote service account using `IAM Credentials API`_. This class can be used to impersonate a service account as long as the original Credential object has the "Service Account Token Creator" role on the target service account. .. _IAM Credentials API: https://cloud.google.com/iam/credentials/reference/rest/ N)datetime)_exponential_backoff)_helpers credentials) exceptions)iam)jwt)metrics)_clientz*Unable to acquire impersonated credentialsiz#https://oauth2.googleapis.com/tokenauthorized_userservice_account external_account_authorized_userc|p,#?AUVVf} j !&&&) D K K       :%&s:DE(0EEceZdZdZddeddffd ZdZeje j dZ dZ dZ edZed Zed Zed Zeje j d Zd Zeje jdZeje jddZeddZxZS) CredentialsaThis module defines impersonated credentials which are essentially impersonated identities. Impersonated Credentials allows credentials issued to a user or service account to impersonate another. The target service account must grant the originating credential principal the `Service Account Token Creator`_ IAM role: For more information about Token Creator IAM role and IAMCredentials API, see `Creating Short-Lived Service Account Credentials`_. .. _Service Account Token Creator: https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role .. _Creating Short-Lived Service Account Credentials: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials Usage: First grant source_credentials the `Service Account Token Creator` role on the target account to impersonate. In this example, the service account represented by svc_account.json has the token creator role on `impersonated-account@_project_.iam.gserviceaccount.com`. Enable the IAMCredentials API on the source project: `gcloud services enable iamcredentials.googleapis.com`. Initialize a source credential which does not have access to list bucket:: from google.oauth2 import service_account target_scopes = [ 'https://www.googleapis.com/auth/devstorage.read_only'] source_credentials = ( service_account.Credentials.from_service_account_file( '/path/to/svc_account.json', scopes=target_scopes)) Now use the source credentials to acquire credentials to impersonate another service account:: from google.auth import impersonated_credentials target_credentials = impersonated_credentials.Credentials( source_credentials=source_credentials, target_principal='impersonated-account@_project_.iam.gserviceaccount.com', target_scopes = target_scopes, lifetime=500) Resource access is granted:: client = storage.Client(credentials=target_credentials) buckets = client.list_buckets(project='your_project') for bucket in buckets: print(bucket.name) Nc btt|tj||_t |jt jrd|jtj |_t|jdr&|jj r|j d|j|_||_||_||_||_|pt(|_d|_t/j|_||_||_d|_dS)a$ Args: source_credentials (google.auth.Credentials): The source credential used as to acquire the impersonated credentials. target_principal (str): The service account to impersonate. target_scopes (Sequence[str]): Scopes to request during the authorization grant. delegates (Sequence[str]): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. lifetime (int): Number of seconds the delegated credential should be valid for (upto 3600). quota_project_id (Optional[str]): The project ID used for quota and billing. This project may be different from the project used to create the credentials. iam_endpoint_override (Optional[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. subject (Optional[str]): sub field of a JWT. This field should only be set if you wish to impersonate as a user. This feature is useful when using domain wide delegation. _create_self_signed_jwtN)superr<__init__copy_source_credentials isinstancerScoped with_scopesr _IAM_SCOPEr"_always_use_jwt_accessr>r/_universe_domain_target_principal_target_scopes _delegates_subject_DEFAULT_TOKEN_LIFETIME_SECS _lifetimer5rutcnowr6_quota_project_id_iam_endpoint_override_cred_file_path) selfsource_credentialstarget_principal target_scopes delegatessubjectlifetimequota_project_idr0 __class__s r9r@zCredentials.__init__sT k4  ))+++#'9-?#@#@  d. 0B C C G'+'?'K'K((D $ 02KLL G,C G(@@FFF 2 B!1+# !A%A o'' !1&;##ctjSN)r CRED_TYPE_SA_IMPERSONATErSs r9_metric_header_for_usagez$Credentials._metric_header_for_usages //r\c0||dSr^) _update_token)rSr-s r9refreshzCredentials.refreshs 7#####r\c|jjtjjks|jjtjjkr|j||j|jt|j dzd}ddtj tj i}|j||jr|jtjkrt%jdt)j}|jt)j|jpd|jt0t)j|t)j|t4zd}t7||j|||j}t9j|t0|\|_|_}d StA||j|||j|j! \|_|_d S) zUpdates credentials with a new access_token representing the impersonated account. Args: request (google.auth.transport.requests.Request): Request object to use for refreshing credentials. s)rWscoperY Content-Typeapplication/jsonzNDomain-wide delegation is not supported in universes other than googleapis.com)issrgsubaudiatexp)r-r.rpayloadrWN)r-r.rrr/r0)"rB token_stater TokenStateSTALEINVALIDrdrKrJstrrNr API_CLIENT_HEADER&token_request_access_token_impersonateapplyrLr/rrGoogleAuthErrorrrOrIscopes_to_string_GOOGLE_OAUTH2_TOKEN_ENDPOINTdatetime_to_secsrM_sign_jwt_requestr jwt_grantr5r6r:rQ)rSr-rrnowrp assertion_s r9rczCredentials._update_tokens  $ 0K4J4P P P'3{7M7UUU  $ , ,W 5 5 5(DN++c1   .  %w'U'W'W   &&w/// = #{'JJJ 0, /##C-!243F3L"MM}40550558TT G*0/ I*1):6 ** &DJ Q F"9, 0"&"= # # #  DKKKr\cPddlm}tjt j|j|j }tj | d|j d}ddi}||j} tj}|D]}||||} | jtjvr.| jt(jkr9t-jd| tj| d c|S |n#|wxYwt-jd ) NrAuthorizedSessionr)rprWrhri)rrrzError calling sign_bytes: {} signedBlobz#exhausted signBlob endpoint retries)google.auth.transport.requestsrr _IAM_SIGN_ENDPOINTrrrr/rrIbase64 b64encoderrKrBrExponentialBackoffpost status_codeIAM_RETRY_CODESr%r&rTransportErrorr b64decodeclose) rSmessageriam_sign_endpointrrauthed_sessionretriesrr2s r9 sign_byteszCredentials.sign_bytesNsDDDDDD2::  /1E  &' ( (  '0077@@   "#56**4+CDD #*=??G G G)..)7/'3+>>>';>99$36==hmmooNN'  (EFFFF  " " " " G  " " " "N " " " "'(MNNNs B>E;;Fc|jSr^rIr`s r9 signer_emailzCredentials.signer_emailp %%r\c|jSr^rr`s r9service_account_emailz!Credentials.service_account_emailtrr\c|Sr^rjr`s r9signerzCredentials.signerxs r\c|j Sr^)rJr`s r9requires_scopeszCredentials.requires_scopes|s&&&r\c4|jr|jd|jdSdS)Nzimpersonated credentials)credential_sourcecredential_typer.)rRrIr`s r9 get_cred_infozCredentials.get_cred_infos2   %)%9#=!3  tr\c ||j|j|j|j|j|j|j}|j|_|S)N)rUrVrWrYrZr0) r[rBrIrJrKrNrPrQrR)rScreds r9 _make_copyzCredentials._make_copysT~~  $!3-o^!3"&"=   $3 r\c<|}||_|Sr^)rrP)rSrZrs r9with_quota_projectzCredentials.with_quota_projects  !1 r\c@|}|p||_|Sr^)rrJ)rSscopesdefault_scopesrs r9rEzCredentials.with_scopess#  $6 r\c*|d}|d}|tkr!ddlm}|j|}n|t kr!ddlm}|j|}nS|tkr!ddl m }|j |}n'tjd||d} | d } | d } | d ks | d ks| | kr'tjd | | | d z| } |d} |d}||| || |S)aCreates a Credentials instance from parsed impersonated service account credentials info. Args: info (Mapping[str, str]): The impersonated service account credentials info in Google format. scopes (Sequence[str]): Optional list of scopes to include in the credentials. Returns: google.oauth2.credentials.Credentials: The constructed credentials. Raises: InvalidType: If the info["source_credentials"] are not a supported impersonation type InvalidValue: If the info["service_account_impersonation_url"] is not in the expected format. ValueError: If the info is not in the expected format. rTtyperr)r)rz.source credential of type {} is not supported.!service_account_impersonation_url/z:generateAccessTokenz'Cannot extract target principal from {}rWrZ)rZ)get'_SOURCE_CREDENTIAL_AUTHORIZED_USER_TYPE google.oauth2rr<from_authorized_user_info'_SOURCE_CREDENTIAL_SERVICE_ACCOUNT_TYPErfrom_service_account_info8_SOURCE_CREDENTIAL_EXTERNAL_ACCOUNT_AUTHORIZED_USER_TYPE google.authr from_infor InvalidTyperrfindfind InvalidValue)clsinforsource_credentials_infosource_credentials_typerrTrrimpersonation_url start_index end_indexrUrWrZs r9&from_impersonated_service_account_infoz2Credentials.from_impersonated_service_account_infos(#'((+?"@"@"9"="=f"E"E "&M M M 1 1 1 1 1 1!,!8!R!R'""  %(O O O 5 5 5 5 5 5!0! 1 1),33HMMOODD ==??7+ / Jx . . .u 5   s +=C==D)NFNr^)rrrrr@rrrrrrrrr<rdrrs@r9rrs 2222226          X[DEE  FE X[455) ) 65) ) ) ) ) r\rcttj|}|tj|d}tj|d}||d||}t |jdr|jdn|j}|j tj krtj t| tj|} | d} | S#t t"f$r5} tj dt|} | | d} ~ wwxYw) aMakes a request to the Google Cloud IAM service to sign a JWT using a service account's system-managed private key. Args: request (Request): The Request object to use. principal (str): The principal to request an access token for. headers (Mapping[str, str]): Map of headers to transmit. payload (Mapping[str, str]): The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. delegates (Sequence[str]): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. Raises: google.auth.exceptions.TransportError: Raised if there is an underlying HTTP connection error google.auth.exceptions.RefreshError: Raised if the impersonated credentials are not available. Common reasons are `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned )rWrprrrr signedJwtz{}: No signed JWT in response.N)r _IAM_SIGNJWT_ENDPOINTrrr r!r"r#rr$r%r&rr'r(r)r+r,) r-r.rrprWr1rr2r3 jwt_response signed_jwtr7r8s r9r}r}Ws6:,33I>>L"tz'/B/B C CD :d   " "7 + +Dw<dSSSH 8=( + +  W%%% ] +.((%nmDDD &z-00 !+.  j !&&&) , 3 3N C C]  :% &sC11D70D22D7) rrrAr http.clientclientr%rrrrrrr r r rr r(rMr{rrrrr:rDrSigningr<rr}rjr\r9rs   !!!!!! ,,,,,, ######""""""!!!!!!># E*;'*;'&9 7 ;&;&;&;&|o o o o o  ?ATo o o d k k k k k @k k k \GI7&7&7&7&7&7&r\