+3XSrSSKJr SSKJr SSKJr SSKrSSKrSSKJr SSKJ r SSK J r SSK Jr SSK Jr SS K Jr SS K Jr SS K Jr SS KJr S r"SS\R*5r"SS\5r"SS\5rSrSSjrSr"SS\5r"SS\R:5rg)z%Utilities for the iamcredentials API.)absolute_import)division)unicode_literalsN exceptions) http_wrapper) apis_internal) properties) resources) transport)clientz&https://iamcredentials.googleapis.com/c\rSrSrSrSrg)Error'z*Exception that are defined by this module.N__name__ __module__ __qualname____firstlineno____doc____static_attributes__r1lib/googlecloudsdk/api_lib/iamcredentials/util.pyrr's2rrc\rSrSrSrSrg)InvalidImpersonationAccount+z1Exception when the service account id is invalid.rNrrrrrr+s9rrc\rSrSrSrSrg)&ImpersonatedCredGoogleAuthRefreshError/zAException for google auth impersonated credentials refresh error.rNrrrrrr/sIrrc ^SSKJn [RR USSUS.S9nUR S[ RSS9n[R"S S US 9nURRURRUR5URRUS 9S 95nU$![ R"a2n[$R&"USR)UR*US9S9eSnAf[ R,an[$R&"U5eSnAff=f)z8Generates an access token for the given service account.r transportsiamcredentials.serviceAccounts- projectsIdserviceAccountsId collectionparamsFenable_resource_quotaresponse_encodingallow_account_impersonationiamcredentialsv1 http_client)scope)namegenerateAccessTokenRequestzError {code} (Forbidden) - failed to impersonate [{service_acc}]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.)code service_acc error_formatN)googlecloudsdk.core.credentialsr#r REGISTRYParseGetApitoolsTransportr ENCODINGr _GetClientInstanceprojects_serviceAccountsGenerateAccessTokenMESSAGES_MODULE?IamcredentialsProjectsServiceAccountsGenerateAccessTokenRequest RelativeNameGenerateAccessTokenRequestapitools_exceptionsHttpForbiddenErrorr HttpExceptionformat status_code HttpError)service_account_idscopesr#service_account_refr3 iam_clientresponsees rrBrB3sC9!**00%E6H I1K//!!**"'0)+ //+7*&22FF"" H H$113'1'A'A ' 'f ' 5 I H O  / /N  " " $Vmm9K$M  NN  & &&  " "1 %%&s%AB99D, -C::D,D''D,c SSKJn [RR USSUS.S9nUR S[ RSS9n[R"S S US 9nURRURRUR5URRXS 9S 95nUR $)z4Generates an id token for the given service account.rr"r$r%r&r)Fr,r0r1r2)audience includeEmail)r5generateIdTokenRequest)r;r#r r<r=r>r r?r r@rAGenerateIdTokenrC;IamcredentialsProjectsServiceAccountsGenerateIdTokenRequestrEGenerateIdTokenRequesttoken)rMrT include_emailr#rOr3rPrQs rrWrW[s9!**00%E6H I1K//!!**"'0)+ //+7* 0 0 @ @  BB"//1!+!;!; ! !8 ! PC( rc[RRRR 5(a2[RRRR 5$[RR RnUR 5UR:wa$[RSUR 55$[$)aqReturns the effective IAM endpoint. (1) If the [api_endpoint_overrides/iamcredentials] property is explicitly set, return the property value. (2) Otherwise if [core/universe_domain] value is not default, return "https://iamcredentials.{universe_domain_value}/". (3) Otherise return "https://iamcredentials.googleapis.com/" Returns: str: The effective IAM endpoint. zgoogleapis.com) r VALUESapi_endpoint_overridesr0IsExplicitlySetGetcoreuniverse_domaindefaultIAM_ENDPOINT_GDUreplace)universe_domain_propertys rGetEffectiveIamEndpointrgws--<<LLNN    3 3 B B F F HH'..33CC!!#'?'G'GG  # #2668  rcP\rSrSrSrSrSrSrSr\ S5r \ S5r S r g ) ImpersonationAccessTokenProviderzvA token provider for service account elevation. This supports the interface required by the core/credentials module. c|SU;a [S5e[X5n[XRURU5$)N,zMore than one service accounts were specified, which is not supported. If being set, please unset the auth/disable_load_google_auth property and retry.)rrBImpersonationCredentials accessToken expireTime)selfrMrNrQs rGetElevationAccessToken8ImpersonationAccessTokenProvider.GetElevationAccessTokensL   ' > ??##5>H #00(2E2Ev OOrc[XU5$N)rW)rprMrTr[s rGetElevationIdToken4ImpersonationAccessTokenProvider.GetElevationIdTokens - GGrcSSKJn SSKJn SSKJn UR 5nUR U5 URUUUUS9n UR5 U R U5 U $!URan SRUS9n Sn [R"U RS 5n U S -U S S -U S S '[R"S U S S0[R "U 5SS9n["R$R'U5n O![(a Of=fU (a[R*"U SS9e[-U 5eSn A ff=f)zCCreates a fresh impersonation credential using google-auth library.rrimpersonated_credentialsrequests)source_credentialstarget_principal target_scopes delegateszFailed to impersonate [{service_acc}]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.)r8N errormessagestatusr7)infocontent request_urlz{message} {details? {?}}r9) google.authrrygooglecloudsdk.corer{GoogleAuthRequestrefresh CredentialsPerformIamEndpointsOverride RefreshErrorrJjsonloadsargsrResponsedumpsrGrL FromResponse ExceptionrIr)rpr|r}rrNgoogle_auth_exceptions$google_auth_impersonated_credentials core_requestsrequest_clientcredrRoriginal_message http_errorr http_responses r!GetElevationAccessTokenGoogleAuthBImpersonationAccessTokenProvider.GetElevationAccessTokenGoogleAuthsA\=#446N~. / ; ;-) < D  $$&-E ll>"\ K[ " . .+E BBH&*CIC j **QVVAY' s "WW%5i%@ @ # %--GG,V45JJw' )22?? N     && %@  33C DDW+Es=A**E:E  BDE  D"E !D""*E  EcSSKJn SSKJn UR UUUS9nUR 5nUR 5 URU5 U$)z=Creates an ID token credentials for impersonated credentials.rrxrz)target_audiencer[)rryrr{IDTokenCredentialsrrr)rp%google_auth_impersonation_credentialsrTr[rrrrs rGetElevationIdTokenGoogleAuth>ImpersonationAccessTokenProvider.GetElevationIdTokenGoogleAuthsW]= / B B- # C D #446N$$&LL KrcfSSKJn [U[5=(d [XR5$)Nrrx)rry isinstancermr)clsrrs rIsImpersonationCredential:ImpersonationAccessTokenProvider.IsImpersonationCredentials-] d4 5  >>:rcSSKJn [5nURR [ U5UlUR R [ U5UlURR [ U5Ulg)a Perform IAM endpoint override if needed. We will override IAM generateAccessToken, signBlob, and generateIdToken endpoint under the following conditions. (1) If the [api_endpoint_overrides/iamcredentials] property is explicitly set, we replace "https://iamcredentials.googleapis.com/" with the given property value in these endpoints. (2) If the property above is not set, and the [core/universe_domain] value is not default, we replace "googleapis.com" with the [core/universe_domain] property value in these endpoints. r)iamN)rrrg _IAM_ENDPOINTrerd_IAM_SIGN_ENDPOINT_IAM_IDTOKEN_ENDPOINT)rgoogle_auth_iameffective_iam_endpoints rrXlURU5n[[U]USSSUSSUS9 g)N)rN)_service_account_id_ConvertExpiryTimesuperrm__init__)rprM access_token token_expiryrN __class__s rr!ImpersonationCredentials.__init__/s@1**<8L "D2dD$ dD3Qrc[UR[UR55nURUlUR UR5Ulgrt) rBrlistrNrnrrror)rphttprQs r_refresh!ImpersonationCredentials._refresh5sF#4#;#;T$++=NOH ,,D//0C0CDDrc^[RRU[R5$rt)datetimestrptimerm_EXPIRY_FORMAT)rpvalues rr+ImpersonationCredentials._ConvertExpiryTime<s(    % %e&>&M&M OOr)rrr) rrrrrrrrrr __classcell__)rs@rrmrm*s%'.Q EOOrrm)F)r __future__rrrrrapitools.base.pyrrGrgooglecloudsdk.api_lib.utilr rcore_exceptionsr r r oauth2clientr rdrrrrBrWrgobjectriOAuth2Credentialsrmrrrrs ,&' >)52=*))<3O ! !3:%:JUJ%&P8.YvYxOv77Or