)4SrSSKJr SSKJr SSKJr SSKJr SSKJr SSKJ r SSK Jr SSK J r SS KJr SS KJr SSKJr SS KJr SS KJr SS KJr SSKJr SSKJr SSKJr SSKJr SSKrSr \RB"SS\RD55r#g)zKA command that prints an access token for Application Default Credentials. )absolute_import)division)unicode_literals) credentials) exceptions)impersonated_credentials)util) arg_parsers)base)log) properties)requests)creds)google_auth_credentials)storeNic.\rSrSrSr\S5rSrSrg)PrintAccessToken+a5Print an access token for your current Application Default Credentials. {command} generates and prints an access token for the current Application Default Credential (ADC). The [ADC](https://google.aip.dev/auth/4110) can be specified either by using `gcloud auth application-default login`, `gcloud auth login --cred-file=/path/to/cred/file --update-adc`, or by setting the `GOOGLE_APPLICATION_CREDENTIALS` environment variable. The access token generated by {command} is useful for manually testing APIs via curl or similar tools. In order to print details of the access token, such as the associated account and the token's expiration time in seconds, run: $ curl -H "Content-Type: application/x-www-form-urlencoded" \ -d "access_token=$(gcloud auth application-default print-access-token)" \ https://www.googleapis.com/oauth2/v1/tokeninfo Note that token itself may not be enough to access some services. If you use the token with curl or similar tools, you may see permission errors similar to "Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell". If it happens, you may need to provide a quota project in the "X-Goog-User-Project" header. For example, $ curl -H "X-Goog-User-Project: your-project" \ -H \ "Authorization: Bearer $(gcloud auth application-default \ print-access-token)" foo.googleapis.com The identity that granted the token must have the serviceusage.services.use permission on the provided project. See https://cloud.google.com/apis/docs/system-parameters for more information. c HURS[R"SS9SS9 URS[R"SS9S S R S R [ S R[R555S 9 URRS5 g)N --lifetime43200s) upper_boundaAccess token lifetime. The default access token lifetime is 3600 seconds, but you can use this flag to reduce the lifetime or extend it up to 43200 seconds (12 hours). The org policy constraint `constraints/iam.allowServiceAccountCredentialLifetimeExtension` must be set if you want to extend the lifetime beyond 3600 seconds. Note that this flag is for service account impersonation only, so it only works when either `--impersonate-service-account` flag or `auth/impersonate_service_account` property is set.)typehelp--scopes) min_lengthSCOPEamThe scopes to authorize for. This flag is supported for user accounts and service accounts only. The list of possible scopes can be found at: [](https://developers.google.com/identity/protocols/googlescopes). For end-user accounts, the provided scopes must be from [{0}], or the scopes previously specified through `gcloud auth application-default login --scopes`., `{}`)rmetavarrz value(token)) add_argumentr DurationArgListformatjoinmap auth_utilDEFAULT_SCOPES display_info AddFormat)parsers :lib/surface/auth/application_default/print_access_token.pyArgsPrintAccessToken.ArgsRs   ! !h 7 C     A .< =CF499  y77 8D:=; < !!.1c Z[R"5RUR=(d [R /S9up#[R"U5n[R R"R$R'5nU=(d USLnUR((aU(d[R*"SS5eU(a[,R."U5upUR(aU(d[R0R3U5n U [R0R4[R0R64;a/[R8"SR;U R<55 UR[R>[R@/-n [CU[DRF5(aURIU 5nOXl%[CU[LRN5(a[PRNRSU5nU(a7U(aWUl*W Ul+UR((aUR(Ul,[RZ"5Ul.[^R`"5n [,Rb"SS9 UReU 5 SSS5 U(aU(aU$[pRN"UWW UR=(d [R /UR(=(d [rS 9n U ReU 5 U $![ RaDn[R"USS9 [R"[R"U55eSnAff=f!,(df  N=f![fRhaonUR(aW[R*"S S R;S Rk[mS R:[Rn5555eUeSnAff=f)zRun the helper command.)scopesT)exc_infoNra Lifetime flag is for service account impersonation only. It must be used together with either --impersonate-service-account flag or auth/impersonate_service_account property, or the application default credential json file must have `impersonated_service_account` type.zQ`--scopes` flag may not work as expected and will be ignored for account type {}.)for_adcrzInvalid scopes value. Please make sure the scopes are from [{0}], or the scopes previously specified through `gcloud auth application-default login --scopes`.rr )source_credentialstarget_principal delegates target_scopeslifetime):c_credsGetGoogleAuthDefaultdefaultr2r(CLOUD_PLATFORM_SCOPEgoogle_auth_exceptionsDefaultCredentialsErrorr debugc_exc ToolExceptionsix text_type IsImpersonatedAccountCredentialsr VALUESauthimpersonate_service_accountGetr9InvalidArgumentExceptionc_storeParseImpersonationAccountsCredentialTypeGoogleAuthFromCredentials USER_ACCOUNTSERVICE_ACCOUNTwarningr%keyOPENIDUSER_EMAIL_SCOPE isinstancerScoped with_scopes_scopesgoogle_auth_creds Credentials c_google_authFromGoogleAuthUserCredentials_target_principal _delegates _lifetimeGetDefaultTokenUri _token_urirGoogleAuthRequest'HandleGoogleAuthCredentialsRefreshErrorrefreshcreds_exceptionsTokenRefreshErrorr&r'r)r_DEFAULT_TOKEN_LIFETIME_SECS)selfargsr_eis_adc_cred_impersonatedimpersonation_service_accountsis_impersonation_usedr6r7 cred_typer2reqimpersonated_credss r-RunPrintAccessToken.Runrs72--/77@!?!? @8Bhe 'GGN::>>@#5&d2 }}2  * * 6  &&-&H&H ('# {{022BB5Ii   * * 7 7  * * : :   ##)6)--#8 {{i.. 0J0JKKf E;-- . .!!&) %*6677''EE e '"2$ -- 113E  $ $ &C   : :4 H c I$ !$< l1== )kkEi&D&D%E>"> s# g " 9 92 iiD!    a 0 112n I H  - -  ,,  @VDIIc&--1I1IJK L N N sOAL;N'-N?N';N?NN N$ N'$N''P*;A*P%%P*N) __name__ __module__ __qualname____firstlineno____doc__ staticmethodr.rr__static_attributes__rtr0r-rr+s"#J22>yr0r)$ry __future__rrr google.authrrr>r google.oauth2rYgooglecloudsdk.api_lib.authr r(googlecloudsdk.callioper r rAgooglecloudsdk.corer r rgooglecloudsdk.core.credentialsrr:rerr[rrKrCrgUniverseCompatibleCommandrrtr0r-rss ''#<0:9/(7#*(<JT< #t||r0