google.auth.impersonated_credentials module¶
Google Cloud Impersonated credentials.
This module provides authentication for applications where local credentials impersonates a remote service account using IAM Credentials API.
This class can be used to impersonate a service account as long as the original Credential object has the “Service Account Token Creator” role on the target service account.
-
class
Credentials(source_credentials, target_principal, target_scopes, delegates=None, lifetime=3600)[source]¶ Bases:
google.auth.credentials.Credentials,google.auth.credentials.SigningThis module defines impersonated credentials which are essentially impersonated identities.
Impersonated Credentials allows credentials issued to a user or service account to impersonate another. The target service account must grant the originating credential principal the Service Account Token Creator IAM role:
For more information about Token Creator IAM role and IAMCredentials API, see Creating Short-Lived Service Account Credentials.
Usage:
First grant source_credentials the Service Account Token Creator role on the target account to impersonate. In this example, the service account represented by svc_account.json has the token creator role on impersonated-account@_project_.iam.gserviceaccount.com.
Enable the IAMCredentials API on the source project: gcloud services enable iamcredentials.googleapis.com.
Initialize a source credential which does not have access to list bucket:
from google.oauth2 import service_acccount target_scopes = [ 'https://www.googleapis.com/auth/devstorage.read_only'] source_credentials = ( service_account.Credentials.from_service_account_file( '/path/to/svc_account.json', scopes=target_scopes))
Now use the source credentials to acquire credentials to impersonate another service account:
from google.auth import impersonated_credentials target_credentials = impersonated_credentials.Credentials( source_credentials=source_credentials, target_principal='impersonated-account@_project_.iam.gserviceaccount.com', target_scopes = target_scopes, lifetime=500)
Resource access is granted:
client = storage.Client(credentials=target_credentials) buckets = client.list_buckets(project='your_project') for bucket in buckets: print(bucket.name)
- Parameters
source_credentials (google.auth.Credentials) – The source credential used as to acquire the impersonated credentials.
target_principal (str) – The service account to impersonate.
target_scopes (
Sequence[str]) – Scopes to request during the authorization grant.delegates (
Sequence[str]) – The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have “Service Account Token Creator” capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal.lifetime (int) – Number of seconds the delegated credential should be valid for (upto 3600).
-
refresh(request)[source]¶ Refreshes the access token.
- Parameters
request (google.auth.transport.Request) – The object used to make HTTP requests.
- Raises
google.auth.exceptions.RefreshError – If the credentials could not be refreshed.
-
property
expired¶ Checks if the credentials are expired.
Note that credentials can be invalid but not expired because Credentials with
expiryset to None is considered to never expire.
-
property
signer¶ The signer used to sign bytes.
-
before_request(request, method, url, headers)[source]¶ Performs credential-specific before request logic.
Refreshes the credentials if necessary, then calls
apply()to apply the token to the authentication header.- Parameters
request (google.auth.transport.Request) – The object used to make HTTP requests.
method (str) – The request’s HTTP method or the RPC method being invoked.
url (str) – The request’s URI or the RPC service’s URI.
headers (Mapping) – The request’s headers.
-
class
IDTokenCredentials(target_credentials, target_audience=None, include_email=False)[source]¶ Bases:
google.auth.credentials.CredentialsOpen ID Connect ID Token-based service account credentials.
- Parameters
target_credentials (google.auth.Credentials) – The target credential used as to acquire the id tokens for.
target_audience (string) – Audience to issue the token for.
include_email (bool) – Include email in IdToken
-
apply(headers, token=None)¶ Apply the token to the authentication header.
-
before_request(request, method, url, headers)¶ Performs credential-specific before request logic.
Refreshes the credentials if necessary, then calls
apply()to apply the token to the authentication header.- Parameters
request (google.auth.transport.Request) – The object used to make HTTP requests.
method (str) – The request’s HTTP method or the RPC method being invoked.
url (str) – The request’s URI or the RPC service’s URI.
headers (Mapping) – The request’s headers.
-
property
expired¶ Checks if the credentials are expired.
Note that credentials can be invalid but not expired because Credentials with
expiryset to None is considered to never expire.
-
refresh(request)[source]¶ Refreshes the access token.
- Parameters
request (google.auth.transport.Request) – The object used to make HTTP requests.
- Raises
google.auth.exceptions.RefreshError – If the credentials could not be refreshed.
