o g#E@sdZddlZddlZddlmZddlmZddlZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z dd lmZdd lmZd Zd Ze jdfd dZGddde je je jZGddde jZdS)aGoogle Cloud Impersonated credentials. This module provides authentication for applications where local credentials impersonates a remote service account using `IAM Credentials API`_. This class can be used to impersonate a service account as long as the original Credential object has the "Service Account Token Creator" role on the target service account. .. _IAM Credentials API: https://cloud.google.com/iam/credentials/reference/rest/ N)datetime)_exponential_backoff)_helpers) credentials) exceptions)iam)jwt)metricsz*Unable to acquire impersonated credentialsic Cs|p tjtj||}t|d}||d||d}t |j dr)|j dn|j }|j t jkr8tt|zt|} | d} t| dd} | | fWSttfyh} z tdt|} | | d } ~ ww) aMakes a request to the Google Cloud IAM service for an access token. Args: request (Request): The Request object to use. principal (str): The principal to request an access token for. headers (Mapping[str, str]): Map of headers to transmit. body (Mapping[str, str]): JSON Payload body for the iamcredentials API call. iam_endpoint_override (Optiona[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. Raises: google.auth.exceptions.TransportError: Raised if there is an underlying HTTP connection error google.auth.exceptions.RefreshError: Raised if the impersonated credentials are not available. Common reasons are `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned utf-8POST)urlmethodheadersbodydecode accessToken expireTimez%Y-%m-%dT%H:%M:%SZz6{}: No access token or invalid expiration in response.N)r _IAM_ENDPOINTreplacerDEFAULT_UNIVERSE_DOMAINformatjsondumpsencodehasattrdatarstatus http_clientOKr RefreshError_REFRESH_ERRORloadsrstrptimeKeyError ValueError)request principalrruniverse_domainiam_endpoint_override iam_endpointresponse response_bodytoken_responsetokenexpiry caught_excnew_excr1p/var/www/html/Testing_prj/Navya-Bakers/venv/lib/python3.10/site-packages/google/auth/impersonated_credentials.py_make_iam_token_request0s8      r3cseZdZdZdeddffdd ZddZee j ddZ d d Z d d Z ed dZeddZeddZeddZee j ddZddZee jddZee jdddZZS) CredentialsaThis module defines impersonated credentials which are essentially impersonated identities. Impersonated Credentials allows credentials issued to a user or service account to impersonate another. The target service account must grant the originating credential principal the `Service Account Token Creator`_ IAM role: For more information about Token Creator IAM role and IAMCredentials API, see `Creating Short-Lived Service Account Credentials`_. .. _Service Account Token Creator: https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role .. _Creating Short-Lived Service Account Credentials: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials Usage: First grant source_credentials the `Service Account Token Creator` role on the target account to impersonate. In this example, the service account represented by svc_account.json has the token creator role on `impersonated-account@_project_.iam.gserviceaccount.com`. Enable the IAMCredentials API on the source project: `gcloud services enable iamcredentials.googleapis.com`. Initialize a source credential which does not have access to list bucket:: from google.oauth2 import service_account target_scopes = [ 'https://www.googleapis.com/auth/devstorage.read_only'] source_credentials = ( service_account.Credentials.from_service_account_file( '/path/to/svc_account.json', scopes=target_scopes)) Now use the source credentials to acquire credentials to impersonate another service account:: from google.auth import impersonated_credentials target_credentials = impersonated_credentials.Credentials( source_credentials=source_credentials, target_principal='impersonated-account@_project_.iam.gserviceaccount.com', target_scopes = target_scopes, lifetime=500) Resource access is granted:: client = storage.Client(credentials=target_credentials) buckets = client.list_buckets(project='your_project') for bucket in buckets: print(bucket.name) Ncstt|t||_t|jtjr,|jt j |_t |jdr,|jj r,|j d|j|_||_||_||_|ptt|t|tstd||_||_||_ ||_ dS)a Args: target_credentials (google.auth.Credentials): The target credential used as to acquire the id tokens for. target_audience (string): Audience to issue the token for. include_email (bool): Include email in IdToken quota_project_id (Optional[str]): The project ID used for quota and billing. z4Provided Credential must be impersonated_credentialsN) r6rr7r:r4rGoogleAuthError_target_credentials_target_audience_include_emailrF)rItarget_credentialstarget_audience include_emailrOrPr1r2r7zs  zIDTokenCredentials.__init__cCs|j|||j|jdSN)rrrrO)rQrrF)rIrrr1r1r2from_credentialss z#IDTokenCredentials.from_credentialscCs|j|j||j|jdSr)rQrrrF)rIrr1r1r2with_target_audiences z'IDTokenCredentials.with_target_audiencecCs|j|j|j||jdSr)rQrrrF)rIrr1r1r2with_include_emails z%IDTokenCredentials.with_include_emailcCs|j|j|j|j|dSr)rQrrr)rIrOr1r1r2rs z%IDTokenCredentials.with_quota_projectc Csddlm}tjtj|jj |jj }|j |jj |j d}ddtjti}||jj|d}z|j||t|dd}W|n|w|jtjkrZtd ||d }||_ttj |d d d |_!dS)Nrrd)audiencerM includeEmailrZr[) auth_requestr )r rrzError getting ID token: {}r-F)verifyexp)"rhrer_IAM_IDTOKEN_ENDPOINTrrrrr'rr{rrBrr ra"token_request_id_token_impersonater9rmrrrrrrnrrrrr-rutcfromtimestamprrr.) rIr%rertrrrur*id_tokenr1r1r2rWsB       zIDTokenCredentials.refresh)NFNrR)rrrrr7rrrrrrrrr4rWrr1r1rPr2rus    r)rrjr8r http.clientclientrr google.authrrrrrrr r rCrr3r;rSigningr4rr1r1r1r2s0           >