External Account Credentials.
This module provides credentials that exchange workload identity pool external credentials for Google access tokens. This facilitates accessing Google Cloud Platform resources from on-prem and non-Google Cloud platforms (e.g. AWS, Microsoft Azure, OIDC identity providers), using native credentials retrieved from the current environment without the need to copy, save and manage long-lived service account credentials.
Specifically, this is intended to use access tokens acquired using the GCP STS token exchange endpoint following the OAuth 2.0 Token Exchange spec.
- class Credentials(audience, subject_token_type, token_url, credential_source, service_account_impersonation_url=None, service_account_impersonation_options=None, client_id=None, client_secret=None, token_info_url=None, quota_project_id=None, scopes=None, default_scopes=None, workforce_pool_user_project=None, universe_domain='googleapis.com', trust_boundary=None)¶
Base class for all external account credentials.
This is used to instantiate Credentials for exchanging external account credentials for Google access token and authorizing requests to Google APIs. The base class implements the common logic for exchanging external account credentials for Google access tokens.
Instantiates an external account credentials object.
audience (str) – The STS audience field.
subject_token_type (str) – The subject token type.
token_url (str) – The STS endpoint URL.
credential_source (Mapping) – The credential source dictionary.
token_info_url (str) – The optional STS endpoint URL for token introspection.
workforce_pool_user_project (Optona[str]) – The optional workforce pool user project number when the credential corresponds to a workforce pool and not a workload identity pool. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota.
universe_domain (str) – The universe domain. The default universe domain is googleapis.com.
trust_boundary (str) – String representation of trust boundary meta.
google.auth.exceptions.RefreshError – If the generateAccessToken endpoint returned an error.
- property info¶
Generates the dictionary representation of the current credentials.
- The dictionary representation of the credentials. This is the
reverse of “from_info” defined on the subclasses of this class. It is useful for serializing the current credentials so it can deserialized later.
- Return type:
- property service_account_email¶
Returns the service account email if service account impersonation is used.
- property is_user¶
Returns whether the credentials represent a user (True) or workload (False). Workloads behave similarly to service accounts. Currently workloads will use service account impersonation but will eventually not require impersonation. As a result, this property is more reliable than the service account email property in determining if the credentials represent a user or workload.
- True if the credentials represent a user. False if they represent a
- Return type:
- property is_workforce_pool¶
Returns whether the credentials represent a workforce pool (True) or workload (False) based on the credentials’ audience.
This will also return True for impersonated workforce pool credentials.
- True if the credentials represent a workforce pool. False if they
represent a workload.
- Return type:
- property requires_scopes¶
Checks if the credentials requires scopes.
True if there are no scopes set otherwise False.
- Return type:
- property project_number¶
The project number corresponding to the workload identity pool.
- with_scopes(scopes, default_scopes=None)¶
Create a copy of these credentials with the specified scopes.
- abstract retrieve_subject_token(request)¶
Retrieves the subject token using the credential_source object.
Retrieves the project ID corresponding to the workload identity or workforce pool. For workforce pool credentials, it returns the project ID corresponding to the workforce_pool_user_project.
When not determinable, None is returned.
This is introduced to support the current pattern of using the Auth library:
credentials, project_id = google.auth.default()
The resource may not have permission (resourcemanager.projects.get) to call this API or the required scopes may not be selected: https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes
Refreshes the access token.
Returns a copy of these credentials with a modified quota project.
Returns a copy of these credentials with a modified token uri.
- apply(headers, token=None)¶
Apply the token to the authentication header.
- before_request(request, method, url, headers)¶
Performs credential-specific before request logic.
Refreshes the credentials if necessary, then calls
apply()to apply the token to the authentication header.
- property expired¶
Checks if the credentials are expired.
Note that credentials can be invalid but not expired because Credentials with
expiryset to None is considered to never expire.
- classmethod from_info(info, **kwargs)¶
Creates a Credentials instance from parsed external account info.
Checks if the credentials have the given scopes.
- property quota_project_id¶
Project to use for quota and billing purposes.
- property universe_domain¶
The universe domain value.
- property valid¶
Checks the validity of the credentials.
When the token expires and is no longer valid. If this is None, the token is assumed to never expire.
- classmethod from_file(filename, **kwargs)¶
Creates a Credentials instance from an external account json file.