eBSrSSKrSSKrSSKJr SSKJr SSKrSSKJ r SSKJ r SSKJ r SSKJ r SSKJ r S /rS rS rS rS rSrSrSSjr"SS\ R,\ R.\ R05r"SS\ R.5rg)aGoogle Cloud Impersonated credentials. This module provides authentication for applications where local credentials impersonates a remote service account using `IAM Credentials API`_. This class can be used to impersonate a service account as long as the original Credential object has the "Service Account Token Creator" role on the target service account. .. _IAM Credentials API: https://cloud.google.com/iam/credentials/reference/rest/ N)datetime)_helpers) credentials) exceptions)jwt)metricsz#https://www.googleapis.com/auth/iamzZhttps://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{}:generateAccessTokenzOhttps://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{}:signBlobzVhttps://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{}:generateIdTokenz*Unable to acquire impersonated credentialsiz#https://oauth2.googleapis.com/tokencU=(d [RU5n[R"U5R S5nU"USX#S9n[ UR S5(aUR RS5O UR nUR[R:wa[R"[U5e[R"U5nUSn [R "USS5n X4$!["[$4a1n [R"SR[5U5n XeS n A ff=f) aMakes a request to the Google Cloud IAM service for an access token. Args: request (Request): The Request object to use. principal (str): The principal to request an access token for. headers (Mapping[str, str]): Map of headers to transmit. body (Mapping[str, str]): JSON Payload body for the iamcredentials API call. iam_endpoint_override (Optiona[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. Raises: google.auth.exceptions.TransportError: Raised if there is an underlying HTTP connection error google.auth.exceptions.RefreshError: Raised if the impersonated credentials are not available. Common reasons are `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned utf-8POST)urlmethodheadersbodydecode accessToken expireTimez%Y-%m-%dT%H:%M:%SZz6{}: No access token or invalid expiration in response.N) _IAM_ENDPOINTformatjsondumpsencodehasattrdatarstatus http_clientOKr RefreshError_REFRESH_ERRORloadsrstrptimeKeyError ValueError) request principalrriam_endpoint_override iam_endpointresponse response_bodytoken_responsetokenexpiry caught_excnew_excs ?platform/bq/third_party/google/auth/impersonated_credentials.py_make_iam_token_requestr/As,)KM,@,@,KL ::d  " "7 +D<SH 8==( + +  W% ]] +..(%%nmDD&M2}-"">,#?AUV} j !&)) D K K     %&s7DE,D<<EcZ^\rSrSrSrS\SS4U4SjjrSr\R"\ R5S5r Sr Sr\S 5r\S 5r\S 5r\S 5r\R"\ R(5S 5r\R"\ R,5SSj5rSrU=r$) Credentialsxa&This module defines impersonated credentials which are essentially impersonated identities. Impersonated Credentials allows credentials issued to a user or service account to impersonate another. The target service account must grant the originating credential principal the `Service Account Token Creator`_ IAM role: For more information about Token Creator IAM role and IAMCredentials API, see `Creating Short-Lived Service Account Credentials`_. .. _Service Account Token Creator: https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role .. _Creating Short-Lived Service Account Credentials: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials Usage: First grant source_credentials the `Service Account Token Creator` role on the target account to impersonate. In this example, the service account represented by svc_account.json has the token creator role on `impersonated-account@_project_.iam.gserviceaccount.com`. Enable the IAMCredentials API on the source project: `gcloud services enable iamcredentials.googleapis.com`. Initialize a source credential which does not have access to list bucket:: from google.oauth2 import service_account target_scopes = [ 'https://www.googleapis.com/auth/devstorage.read_only'] source_credentials = ( service_account.Credentials.from_service_account_file( '/path/to/svc_account.json', scopes=target_scopes)) Now use the source credentials to acquire credentials to impersonate another service account:: from google.auth import impersonated_credentials target_credentials = impersonated_credentials.Credentials( source_credentials=source_credentials, target_principal='impersonated-account@_project_.iam.gserviceaccount.com', target_scopes = target_scopes, lifetime=500) Resource access is granted:: client = storage.Client(credentials=target_credentials) buckets = client.list_buckets(project='your_project') for bucket in buckets: print(bucket.name) NcB>[[U] 5 [R"U5Ul[ UR[ R5(auURR[5Ul[URS5(a6URR(aURRS5 X l X0lX@lU=(d [ UlSUl[&R("5UlX`lXplg)a| Args: source_credentials (google.auth.Credentials): The source credential used as to acquire the impersonated credentials. target_principal (str): The service account to impersonate. target_scopes (Sequence[str]): Scopes to request during the authorization grant. delegates (Sequence[str]): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. lifetime (int): Number of seconds the delegated credential should be valid for (upto 3600). quota_project_id (Optional[str]): The project ID used for quota and billing. This project may be different from the project used to create the credentials. iam_endpoint_override (Optiona[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. _create_self_signed_jwtN)superr1__init__copy_source_credentials isinstancerScoped with_scopes _IAM_SCOPEr_always_use_jwt_accessr4_target_principal_target_scopes _delegates_DEFAULT_TOKEN_LIFETIME_SECS _lifetimer*rutcnowr+_quota_project_id_iam_endpoint_override) selfsource_credentialstarget_principal target_scopes delegateslifetimequota_project_idr% __class__s r.r6Credentials.__init__sL k4)+#'99-?#@  d.. 0B0B C C'+'?'?'K'KJ'WD $002KLL,,CC((@@F!1+#!A%A oo' !1&;#c"[R$N)rCRED_TYPE_SA_IMPERSONATErFs r._metric_header_for_usage$Credentials._metric_header_for_usages///rOc&URU5 grQ) _update_token)rFr#s r.refreshCredentials.refreshs 7#rOcBURR[RR:Xd2URR[RR :XaURR U5 URUR[UR5S-S.nSS[R[R"50nURRU5 [UUR UUUR"S9uUlUlg)zUpdates credentials with a new access_token representing the impersonated account. Args: request (google.auth.transport.requests.Request): Request object to use for refreshing credentials. s)rJscoperK Content-Typeapplication/json)r#r$rrr%N)r8 token_stater TokenStateSTALEINVALIDrXr@r?strrBrAPI_CLIENT_HEADER&token_request_access_token_impersonateapplyr/r>rEr*r+)rFr#rrs r.rWCredentials._update_tokens  $ $ 0 0K4J4J4P4P P''33{7M7M7U7UU  $ $ , ,W 5((DNN+c1  .  % %w'U'U'W    &&w/"9,,"&"="= #  DKrOc8SSKJn [RUR5n[ R "U5RS5URS.nSS0nU"UR5nURX5US9nUR5 UR[R:wa3[R "SRUR#555e[ R$"UR#5S 5$!UR5 f=f) NrAuthorizedSessionr )payloadrJr]r^)r rrzError calling sign_bytes: {} signedBlob)google.auth.transport.requestsrj_IAM_SIGN_ENDPOINTrr>base64 b64encoderr@r8postclose status_coderrrTransportErrorr b64decode)rFmessagerjiam_sign_endpointrrauthed_sessionr's r. sign_bytesCredentials.sign_bytes#sD.55d6L6LM''077@  "#56*4+C+CD #%**%T+H  "   ;>> 1++.55hmmoF   =>>  "s /DDcUR$rQr>rSs r. signer_emailCredentials.signer_email?%%%rOcUR$rQr|rSs r.service_account_email!Credentials.service_account_emailCrrOcU$rQrSs r.signerCredentials.signerGs rOc$UR(+$rQ)r?rSs r.requires_scopesCredentials.requires_scopesKs&&&&rOc URURURURURUR UUR S9$N)rHrIrJrKrLr%)rMr8r>r?r@rBrErFrLs r.with_quota_projectCredentials.with_quota_projectOsM~~  $ $!33--oo^^-"&"="=  rOc URURURU=(d UURURUR UR S9$r)rMr8r>r@rBrDrE)rFscopesdefault_scopess r.r;Credentials.with_scopes[sR~~  $ $!33 2Noo^^!33"&"="=  rO) r@rErBrDr8r>r?r+r*rQ)__name__ __module__ __qualname____firstlineno____doc__rAr6rTrcopy_docstringrr1rXrWrypropertyr}rrrCredentialsWithQuotaProjectrr:r;__static_attributes__ __classcell__rMs@r.r1r1xs;D-"<<|0[445$6$$ L?8&&&&''[DDE  F  [//0  1  rOr1c^\rSrSrSrS U4SjjrS SjrSrSr\ R"\ R5S5r \ R"\ R5S5rS rU=r$) IDTokenCredentialsihzAOpen ID Connect ID Token-based service account credentials. c>[[U] 5 [U[5(d[ R "S5eXlX lX0l X@l g)aI Args: target_credentials (google.auth.Credentials): The target credential used as to acquire the id tokens for. target_audience (string): Audience to issue the token for. include_email (bool): Include email in IdToken quota_project_id (Optional[str]): The project ID used for quota and billing. z4Provided Credential must be impersonated_credentialsN) r5rr6r9r1rGoogleAuthError_target_credentials_target_audience_include_emailrD)rFtarget_credentialstarget_audience include_emailrLrMs r.r6IDTokenCredentials.__init__msQ  $02,k::,,I $6 /+!1rOcNURUUURURS9$N)rrrrL)rMrrD)rFrrs r.from_credentials#IDTokenCredentials.from_credentialss0~~1+--!33   rOcbURURUURURS9$r)rMrrrD)rFrs r.with_target_audience'IDTokenCredentials.with_target_audiences6~~#77+--!33   rOcbURURURUURS9$r)rMrrrD)rFrs r.with_include_email%IDTokenCredentials.with_include_emails6~~#77 11'!33   rOcbURURURURUS9$r)rMrrrrs r.r%IDTokenCredentials.with_quota_projects6~~#77 11---   rOc,SSKJn [RURR 5nUR URRURS.nSS[R[R"50nU"URRUS9nURUU[R"U5R!S5S9nUR#5 UR$[&R(:wa3[*R,"S RUR555eUR5S nXl[0R2"[4R6"US S 9S 5Ulg!UR#5 f=f)Nrri)audiencerJ includeEmailr]r^) auth_requestr )r rrzError getting ID token: {}r*F)verifyexp)rmrj_IAM_IDTOKEN_ENDPOINTrrr}rr@rrrd"token_request_id_token_impersonater8rqrrrrrrsrrrrr*rutcfromtimestamprrr+) rFr#rjrwrrrxr'id_tokens r.rXIDTokenCredentials.refreshsYD188  $ $ 1 1  --11<< //  .  % %w'Q'Q'S  +  $ $ 8 8w  #%**%ZZ%,,W5+H  "   ;>> 1)),33HMMOD ==?7+ // JJx .u 5    "s !4FF)rrDrrr+r*)NFNrQ)rrrrrr6rrrrrrrrr1rXrrrs@r.rrhsr 26   [DDE F [445( 6( rOrrQ)rror7r http.clientclientrr google.authrrrrrr<rrnrrrA_DEFAULT_TOKEN_URIr/r:rSigningr1rrrOr.rs  ! #"3 4 0 % 6 >#:>B4&nm  ??ATATm `j @@j rO