fAdZddlZddlZddlmZddlmZddlZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z dd lmZd Zd Z dd ZGd de je je jZGdde jZdS)aGoogle Cloud Impersonated credentials. This module provides authentication for applications where local credentials impersonates a remote service account using `IAM Credentials API`_. This class can be used to impersonate a service account as long as the original Credential object has the "Service Account Token Creator" role on the target service account. .. _IAM Credentials API: https://cloud.google.com/iam/credentials/reference/rest/ N)datetime)_helpers) credentials) exceptions)iam)jwt)metricsz*Unable to acquire impersonated credentialsic|ptj|}tj|d}||d||}t |jdr|jdn|j}|j tj krtj t| tj|}|d} t!j|dd} | | fS#t$t&f$r5} tj dt|} | | d } ~ wwxYw) aMakes a request to the Google Cloud IAM service for an access token. Args: request (Request): The Request object to use. principal (str): The principal to request an access token for. headers (Mapping[str, str]): Map of headers to transmit. body (Mapping[str, str]): JSON Payload body for the iamcredentials API call. iam_endpoint_override (Optiona[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. Raises: google.auth.exceptions.TransportError: Raised if there is an underlying HTTP connection error google.auth.exceptions.RefreshError: Raised if the impersonated credentials are not available. Common reasons are `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned utf-8POST)urlmethodheadersbodydecode accessToken expireTimez%Y-%m-%dT%H:%M:%SZz6{}: No access token or invalid expiration in response.N)r _IAM_ENDPOINTformatjsondumpsencodehasattrdatarstatus http_clientOKr RefreshError_REFRESH_ERRORloadsrstrptimeKeyError ValueError) request principalrriam_endpoint_override iam_endpointresponse response_bodytoken_responsetokenexpiry caught_excnew_excs ^/var/www/html/Alfredo/env/lib/python3.11/site-packages/google/auth/impersonated_credentials.py_make_iam_token_requestr0/sH,)OC,=,D,DY,O,OL :d   " "7 + +Dw<dSSSH 8=( + +  W%%% ] +.((%nmDDD&M22}-">,#?AUVVf} j !&&&) D K K       :%&s>:C99D? 0D::D?ceZdZdZdeddffd ZdZeje j dZ dZ dZ edZed Zed Zed Zeje j d Zd Zeje jdZeje jddZxZS) CredentialsaThis module defines impersonated credentials which are essentially impersonated identities. Impersonated Credentials allows credentials issued to a user or service account to impersonate another. The target service account must grant the originating credential principal the `Service Account Token Creator`_ IAM role: For more information about Token Creator IAM role and IAMCredentials API, see `Creating Short-Lived Service Account Credentials`_. .. _Service Account Token Creator: https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role .. _Creating Short-Lived Service Account Credentials: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials Usage: First grant source_credentials the `Service Account Token Creator` role on the target account to impersonate. In this example, the service account represented by svc_account.json has the token creator role on `impersonated-account@_project_.iam.gserviceaccount.com`. Enable the IAMCredentials API on the source project: `gcloud services enable iamcredentials.googleapis.com`. Initialize a source credential which does not have access to list bucket:: from google.oauth2 import service_account target_scopes = [ 'https://www.googleapis.com/auth/devstorage.read_only'] source_credentials = ( service_account.Credentials.from_service_account_file( '/path/to/svc_account.json', scopes=target_scopes)) Now use the source credentials to acquire credentials to impersonate another service account:: from google.auth import impersonated_credentials target_credentials = impersonated_credentials.Credentials( source_credentials=source_credentials, target_principal='impersonated-account@_project_.iam.gserviceaccount.com', target_scopes = target_scopes, lifetime=500) Resource access is granted:: client = storage.Client(credentials=target_credentials) buckets = client.list_buckets(project='your_project') for bucket in buckets: print(bucket.name) Nc<tt|tj||_t |jt jrd|jtj |_t|jdr&|jj r|j d||_||_||_|pt"|_d|_t)j|_||_||_d|_dS)aL Args: source_credentials (google.auth.Credentials): The source credential used as to acquire the impersonated credentials. target_principal (str): The service account to impersonate. target_scopes (Sequence[str]): Scopes to request during the authorization grant. delegates (Sequence[str]): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. lifetime (int): Number of seconds the delegated credential should be valid for (upto 3600). quota_project_id (Optional[str]): The project ID used for quota and billing. This project may be different from the project used to create the credentials. iam_endpoint_override (Optiona[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. _create_self_signed_jwtN)superr2__init__copy_source_credentials isinstancerScoped with_scopesr _IAM_SCOPEr_always_use_jwt_accessr4_target_principal_target_scopes _delegates_DEFAULT_TOKEN_LIFETIME_SECS _lifetimer+rutcnowr,_quota_project_id_iam_endpoint_override_cred_file_path) selfsource_credentialstarget_principal target_scopes delegateslifetimequota_project_idr& __class__s r/r6zCredentials.__init__s L k4  ))+++#'9-?#@#@  d. 0B C C G'+'?'K'K((D $ 02KLL G,C G(@@FFF!1+#!A%A o'' !1&;##ctjSN)r CRED_TYPE_SA_IMPERSONATErGs r/_metric_header_for_usagez$Credentials._metric_header_for_usages //rOc0||dSrQ) _update_token)rGr$s r/refreshzCredentials.refreshs 7#####rOc|jjtjjks|jjtjjkr|j||j|jt|j dzd}ddtj tj i}|j|t||j|||j\|_|_dS)zUpdates credentials with a new access_token representing the impersonated account. Args: request (google.auth.transport.requests.Request): Request object to use for refreshing credentials. s)rKscoperL Content-Typeapplication/json)r$r%rrr&N)r8 token_stater TokenStateSTALEINVALIDrWr@r?strrBr API_CLIENT_HEADER&token_request_access_token_impersonateapplyr0r>rEr+r,)rGr$rrs r/rVzCredentials._update_tokens  $ 0K4J4P P P'3{7M7UUU  $ , ,W 5 5 5(DN++c1   .  %w'U'W'W   &&w///"9,"&"= # # #  DKKKrOc^ddlm}tj|j}t j|d|j d}ddi}||j } | |||}| n#| wxYw|j tjkr9t!jd|t j|d S) NrAuthorizedSessionr )payloadrKr[r\)r rrzError calling sign_bytes: {} signedBlob)google.auth.transport.requestsrgr_IAM_SIGN_ENDPOINTrr>base64 b64encoderr@r8postclose status_coderrrTransportErrorr b64decode)rGmessagergiam_sign_endpointrrauthed_sessionr(s r/ sign_byteszCredentials.sign_bytess0DDDDDD299$:PQQ'0077@@   "#56**4+CDD #%**%wT+H  " " " "N " " " "  ;> 1 1+.55hmmooFF   =>>>s /BB2c|jSrQr>rSs r/ signer_emailzCredentials.signer_email0 %%rOc|jSrQrxrSs r/service_account_emailz!Credentials.service_account_email4rzrOc|SrQrSs r/signerzCredentials.signer8s rOc|j SrQ)r?rSs r/requires_scopeszCredentials.requires_scopes<s&&&rOc4|jr|jd|jdSdS)Nzimpersonated credentials)credential_sourcecredential_typer%)rFr>rSs r/ get_cred_infozCredentials.get_cred_info@s2   %)%9#=!3  trOc ||j|j|j|j|j|j|j}|j|_|S)N)rIrJrKrLrMr&) rNr8r>r?r@rBrDrErF)rGcreds r/ _make_copyzCredentials._make_copyJsT~~  $!3-o^!3"&"=   $3 rOc<|}||_|SrQ)rrD)rGrMrs r/with_quota_projectzCredentials.with_quota_projectWs  !1 rOc@|}|p||_|SrQ)rr?)rGscopesdefault_scopesrs r/r;zCredentials.with_scopes]s#  $6 rOrQ)__name__ __module__ __qualname____doc__rAr6rTrcopy_docstringrr2rWrVrvpropertyryr|rrrrCredentialsWithQuotaProjectrr:r; __classcell__rNs@r/r2r2fs;;D-"?$?$?$?$?$?$B000X[455$$65$$ $ $ L???8&&X&&&X&X''X'X[45565   X[DEEFE X[/0010rOr2ceZdZdZ d fd Zd dZdZdZej e j dZ ej e j d ZxZS) IDTokenCredentialszAOpen ID Connect ID Token-based service account credentials. NFctt|t|tst jd||_||_||_ ||_ dS)a Args: target_credentials (google.auth.Credentials): The target credential used as to acquire the id tokens for. target_audience (string): Audience to issue the token for. include_email (bool): Include email in IdToken quota_project_id (Optional[str]): The project ID used for quota and billing. z4Provided Credential must be impersonated_credentialsN) r5rr6r9r2rGoogleAuthError_target_credentials_target_audience_include_emailrD)rGtarget_credentialstarget_audience include_emailrMrNs r/r6zIDTokenCredentials.__init__isu  $''00222,k:: ,I $6 /+!1rOcH||||j|jSN)rrrrM)rNrrD)rGrrs r/from_credentialsz#IDTokenCredentials.from_credentialss/~~1+-!3    rOcR||j||j|jSr)rNrrrD)rGrs r/with_target_audiencez'IDTokenCredentials.with_target_audiences2~~#7+-!3    rOcR||j|j||jSr)rNrrrD)rGrs r/with_include_emailz%IDTokenCredentials.with_include_emails2~~#7 1'!3    rOcR||j|j|j|Sr)rNrrr)rGrMs r/rz%IDTokenCredentials.with_quota_projects2~~#7 1--    rOc$ddlm}tj|jj}|j|jj|j d}ddtj tj i}||jj |} |||tj|d}|n#|wxYw|jt(jkr9t-jd ||d }||_t3jt7j|d d |_dS)Nrrf)audiencerK includeEmailr[r\) auth_requestr )r rrzError getting ID token: {}r+F)verifyexp)rjrgr_IAM_IDTOKEN_ENDPOINTrrryrr@rr rb"token_request_id_token_impersonater8rnrrrrorprrrrr+rutcfromtimestamprrr,) rGr$rgrtrrrur(id_tokens r/rWzIDTokenCredentials.refreshsDDDDDD5<<  $ 1   -1< /   .  %w'Q'S'S  +*  $ 8w    #%**%Z%%,,W55+H  " " " "N " " " "  ;> 1 1),33HMMOODD ==??7+ / Jx . . .u 5   s =CC+)NFNrQ)rrrrr6rrrrrrrrr2rWrrs@r/rrds 2222226          X[DEE  FE X[455( ( 65( ( ( ( ( rOrrQ)rrlr7r http.clientclientrr google.authrrrrrr rrAr0r:rSigningr2rr~rOr/rsf   !!!!!! ######"""""">#>B4&4&4&4&n{{{{{ ?AT{{{|j j j j j @j j j j j rO