Add support for imersonated_credentials.Sign, IDToken #348
Conversation
googlebot
added
the
cla: yes
|
Any pointers on how i can mock the embedded |
yoshi-automation
added
🚨
|
@theacodes @busunkim96 |
|
@theacodes Could we start on the review on this? As mentioned offline, i'm unsure about how to create the testcases that compount two request |
There was a problem hiding this comment.
Thank you for your patience @salrashid123!
I left a few comments below and will get back to you tomorrow morning on the test cases. You can disregard the current test failure in Travis; it was because of a change to pytest (#353).
|
@busunkim96 |
There was a problem hiding this comment.
Thank you for all your patience @salrashid123.
@tswast, could you also take a look?
|
ok, i'm gonna give one more round of end-to-end testing for all the modes later today (just to be sure). Ill reply back here before final merge. thanks for the reviews! |
|
verified the follwoing works with the final fileset in the last commit from google.oauth2 import id_token
from google.oauth2 import service_account
from google.auth import impersonated_credentials
import json
import google.auth
from google.auth import jwt
import google.auth.transport.requests
import base64
import os
from datetime import datetime, timedelta
from google.auth.transport.requests import AuthorizedSession
from google.cloud import storage
source_credentials = service_account.Credentials.from_service_account_file(
'/path/to/svc.json')
target_scopes = ['https://www.googleapis.com/auth/cloud-platform']
target_credentials = impersonated_credentials.Credentials(
source_credentials = source_credentials,
target_principal='[email protected]',
target_scopes = target_scopes,
delegates=[],
lifetime=300)
# ===================== SignedURL
client = storage.Client("fabled-ray-104117", target_credentials )
bucket = client.get_bucket('fabled-ray-104117')
blob = bucket.get_blob('signed_url_file.txt')
s = blob.generate_signed_url(expiration=60, method="GET", version="v4")
print s
# ===================== IDToken
target_audience = 'https://myapp-6w42z6vi3q-uc.a.run.app'
id_creds = impersonated_credentials.IDTokenCredentials(
target_credentials, target_audience=target_audience, include_email=False)
url = 'https://myapp-6w42z6vi3q-uc.a.run.app'
authed_session = AuthorizedSession(id_creds)
r = authed_session.get(url)
print r.status_code
print r.text
# verify
certs_url='https://www.googleapis.com/oauth2/v1/certs'
request = google.auth.transport.requests.Request()
idt = id_creds.token
print idt
print id_token.verify_token(idt,request,certs_url=certs_url) |
Adds support for
impersonated_credentialsto sign and issue IDTokens.impersonated_credentials uses IAMCredentials api at its core which also provides interfaces to
generateIDToken()andsignBlob():This PR seesk to add support for those.
Some benefits:
Singerinterface allows users to 'generate SignedURLs' too. ref: Issue: google-cloud-storage: Cannot create signed url with ImpersonatedCredentials #338The PR at the moment does not have sufficient test coverage (its a solid "C" at 75%). I'm unsure how to mock the internal request/responses since i used
AuthorizedSession()internally withinimersonated_credentials.py. Any tips or pointers there would let me add on coverage. I've left the anticipated responses i would like as comments in this current commitAnyway, usage would be like this to sign and genrate ID tokens (i've verified the following works)