a w=ic >@sdZddlZddlZddlmZddlZddlZddlmZddlm Z ddlm Z ddlm Z ddlm Z d Z d gZd Zd Zd ZdZd Z dZdddZGddde je je jZGddde jZdS)aGoogle Cloud Impersonated credentials. This module provides authentication for applications where local credentials impersonates a remote service account using `IAM Credentials API`_. This class can be used to impersonate a service account as long as the original Credential object has the "Service Account Token Creator" role on the target service account. .. _IAM Credentials API: https://cloud.google.com/iam/credentials/reference/rest/ N)datetime) http_client)_helpers) credentials) exceptions)jwtiz#https://www.googleapis.com/auth/iamzZhttps://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{}:generateAccessTokenzOhttps://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{}:signBlobzVhttps://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{}:generateIdTokenz*Unable to acquire impersonated credentialsz#https://oauth2.googleapis.com/tokenc Cs|p t|}t|d}||d||d}t|jdrF|jdn|j}|jt j krdt t |z,t|}|d} t|dd} | | fWSttfy} z*t dt |} t| | WYd } ~ n d } ~ 00d S) aMakes a request to the Google Cloud IAM service for an access token. Args: request (Request): The Request object to use. principal (str): The principal to request an access token for. headers (Mapping[str, str]): Map of headers to transmit. body (Mapping[str, str]): JSON Payload body for the iamcredentials API call. iam_endpoint_override (Optiona[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. Raises: google.auth.exceptions.TransportError: Raised if there is an underlying HTTP connection error google.auth.exceptions.RefreshError: Raised if the impersonated credentials are not available. Common reasons are `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned utf-8POST)urlmethodheadersbodydecodeZ accessTokenZ expireTimez%Y-%m-%dT%H:%M:%SZz6{}: No access token or invalid expiration in response.N) _IAM_ENDPOINTformatjsondumpsencodehasattrdatarstatusrOKrZ RefreshError_REFRESH_ERRORloadsrstrptimeKeyError ValueErrorsix raise_from) request principalr r iam_endpoint_overrideZ iam_endpointresponseZ response_bodyZtoken_responsetokenexpiryZ caught_excnew_excr&u/home/droni/.local/share/virtualenvs/DPS-5Je3_V2c/lib/python3.9/site-packages/google/auth/impersonated_credentials.py_make_iam_token_requestCs,     r(cseZdZdZdeddffdd Zeej ddZ ddZ d d Z e d d Ze d dZe ddZe ddZeejddZeejdddZZS) CredentialsaThis module defines impersonated credentials which are essentially impersonated identities. Impersonated Credentials allows credentials issued to a user or service account to impersonate another. The target service account must grant the originating credential principal the `Service Account Token Creator`_ IAM role: For more information about Token Creator IAM role and IAMCredentials API, see `Creating Short-Lived Service Account Credentials`_. .. _Service Account Token Creator: https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role .. _Creating Short-Lived Service Account Credentials: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials Usage: First grant source_credentials the `Service Account Token Creator` role on the target account to impersonate. In this example, the service account represented by svc_account.json has the token creator role on `impersonated-account@_project_.iam.gserviceaccount.com`. Enable the IAMCredentials API on the source project: `gcloud services enable iamcredentials.googleapis.com`. Initialize a source credential which does not have access to list bucket:: from google.oauth2 import service_account target_scopes = [ 'https://www.googleapis.com/auth/devstorage.read_only'] source_credentials = ( service_account.Credentials.from_service_account_file( '/path/to/svc_account.json', scopes=target_scopes)) Now use the source credentials to acquire credentials to impersonate another service account:: from google.auth import impersonated_credentials target_credentials = impersonated_credentials.Credentials( source_credentials=source_credentials, target_principal='impersonated-account@_project_.iam.gserviceaccount.com', target_scopes = target_scopes, lifetime=500) Resource access is granted:: client = storage.Client(credentials=target_credentials) buckets = client.list_buckets(project='your_project') for bucket in buckets: print(bucket.name) Ncsrtt|t||_t|jtjr6|jt |_||_ ||_ ||_ |pNt |_d|_t|_||_||_dS)aL Args: source_credentials (google.auth.Credentials): The source credential used as to acquire the impersonated credentials. target_principal (str): The service account to impersonate. target_scopes (Sequence[str]): Scopes to request during the authorization grant. delegates (Sequence[str]): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. lifetime (int): Number of seconds the delegated credential should be valid for (upto 3600). quota_project_id (Optional[str]): The project ID used for quota and billing. This project may be different from the project used to create the credentials. iam_endpoint_override (Optiona[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. N)superr)__init__copy_source_credentials isinstancerScoped with_scopes _IAM_SCOPE_target_principal_target_scopes _delegates_DEFAULT_TOKEN_LIFETIME_SECS _lifetimer#rutcnowr$_quota_project_id_iam_endpoint_override)selfZsource_credentialstarget_principal target_scopes delegateslifetimequota_project_idr! __class__r&r'r+s&   zCredentials.__init__cCs||dSN) _update_token)r:rr&r&r'refreshszCredentials.refreshcCsd|jjs|j||j|jt|jdd}ddi}|j|t||j |||j d\|_ |_ dS)zUpdates credentials with a new access_token representing the impersonated account. Args: request (google.auth.transport.requests.Request): Request object to use for refreshing credentials. s)r=scoper> Content-Typeapplication/json)rr r r r!N) r-ZvalidrDr4r3strr6applyr(r2r9r#r$)r:rr r r&r&r'rCs    zCredentials._update_tokencCsddlm}t|j}t|d|jd}ddi}||j }z|j |||d}W| n | 0|j t jkrtd|t|d S) NrAuthorizedSessionr)payloadr=rGrH)r r rzError calling sign_bytes: {}Z signedBlob)google.auth.transport.requestsrL_IAM_SIGN_ENDPOINTrr2base64 b64encoderr4r-postclose status_coderrrZTransportErrorr b64decode)r:messagerLiam_sign_endpointr r authed_sessionr"r&r&r' sign_bytess"     zCredentials.sign_bytescCs|jSrBr2r:r&r&r' signer_email1szCredentials.signer_emailcCs|jSrBrZr[r&r&r'service_account_email5sz!Credentials.service_account_emailcCs|SrBr&r[r&r&r'signer9szCredentials.signercCs|j SrB)r3r[r&r&r'requires_scopes=szCredentials.requires_scopesc Cs$|j|j|j|j|j|j||jdSN)r;r<r=r>r?r!)rAr-r2r3r4r6r9r:r?r&r&r'with_quota_projectAszCredentials.with_quota_projectc Cs(|j|j|j|p||j|j|j|jdSr`)rAr-r2r4r6r8r9)r:ZscopesZdefault_scopesr&r&r'r0MszCredentials.with_scopes)N)__name__ __module__ __qualname____doc__r5r+rcopy_docstringrr)rDrCrYpropertyr\r]r^r_CredentialsWithQuotaProjectrbr/r0 __classcell__r&r&r@r'r)zs,B7         r)csdeZdZdZdfdd ZdddZdd Zd d Ze e j d d Z e e j ddZZS)IDTokenCredentialszAOpen ID Connect ID Token-based service account credentials. NFcs>tt|t|ts"td||_||_||_ ||_ dS)a Args: target_credentials (google.auth.Credentials): The target credential used as to acquire the id tokens for. target_audience (string): Audience to issue the token for. include_email (bool): Include email in IdToken quota_project_id (Optional[str]): The project ID used for quota and billing. z4Provided Credential must be impersonated_credentialsN) r*rkr+r.r)rZGoogleAuthError_target_credentials_target_audience_include_emailr8)r:target_credentialstarget_audience include_emailr?r@r&r'r+_s zIDTokenCredentials.__init__cCs|j|||j|jdSN)rorprqr?)rArnr8)r:rorpr&r&r'from_credentialszs z#IDTokenCredentials.from_credentialscCs|j|j||j|jdSrr)rArlrnr8)r:rpr&r&r'with_target_audiences z'IDTokenCredentials.with_target_audiencecCs|j|j|j||jdSrr)rArlrmr8)r:rqr&r&r'with_include_emails z%IDTokenCredentials.with_include_emailcCs|j|j|j|j|dSrr)rArlrmrnrar&r&r'rbs z%IDTokenCredentials.with_quota_projectc Csddlm}t|jj}|j|jj|jd}ddi}||jj |d}|j ||t | dd}| d }||_ttj|d d d |_dS) NrrK)Zaudiencer=Z includeEmailrGrH)Z auth_requestr)r r rr#F)verifyexp)rNrL_IAM_IDTOKEN_ENDPOINTrrlr\rmr4rnr-rRrrrr#r fromtimestamprrr$) r:rrLrWr r rXr"Zid_tokenr&r&r'rDs(  zIDTokenCredentials.refresh)NFN)N)rcrdrerfr+rsrtrurrgrrirbr)rDrjr&r&r@r'rkZs    rk)N)rfrPr,rrrZ six.movesrZ google.authrrrrr5r1rrOrxrZ_DEFAULT_TOKEN_URIr(r/riZSigningr)rkr&r&r&r's8        7  a