google.auth.transport.grpc module

Authorization support for gRPC.

class AuthMetadataPlugin(*args: Any, **kwargs: Any)[source]

Bases: grpc.

A gRPC AuthMetadataPlugin that inserts the credentials into each request.

Parameters
secure_authorized_channel(credentials, request, target, ssl_credentials=None, client_cert_callback=None, **kwargs)[source]

Creates a secure authorized gRPC channel.

This creates a channel with SSL and AuthMetadataPlugin. This channel can be used to create a stub that can make authorized requests. Users can configure client certificate or rely on device certificates to establish a mutual TLS channel, if the GOOGLE_API_USE_CLIENT_CERTIFICATE variable is explicitly set to true.

Example:

import google.auth
import google.auth.transport.grpc
import google.auth.transport.requests
from google.cloud.speech.v1 import cloud_speech_pb2

# Get credentials.
credentials, _ = google.auth.default()

# Get an HTTP request function to refresh credentials.
request = google.auth.transport.requests.Request()

# Create a channel.
channel = google.auth.transport.grpc.secure_authorized_channel(
    credentials, regular_endpoint, request,
    ssl_credentials=grpc.ssl_channel_credentials())

# Use the channel to create a stub.
cloud_speech.create_Speech_stub(channel)

Usage:

There are actually a couple of options to create a channel, depending on if you want to create a regular or mutual TLS channel.

First let’s list the endpoints (regular vs mutual TLS) to choose from:

regular_endpoint = 'speech.googleapis.com:443'
mtls_endpoint = 'speech.mtls.googleapis.com:443'

Option 1: create a regular (non-mutual) TLS channel by explicitly setting the ssl_credentials:

regular_ssl_credentials = grpc.ssl_channel_credentials()

channel = google.auth.transport.grpc.secure_authorized_channel(
    credentials, regular_endpoint, request,
    ssl_credentials=regular_ssl_credentials)

Option 2: create a mutual TLS channel by calling a callback which returns the client side certificate and the key (Note that GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable must be explicitly set to true):

def my_client_cert_callback():
    code_to_load_client_cert_and_key()
    if loaded:
        return (pem_cert_bytes, pem_key_bytes)
    raise MyClientCertFailureException()

try:
    channel = google.auth.transport.grpc.secure_authorized_channel(
        credentials, mtls_endpoint, request,
        client_cert_callback=my_client_cert_callback)
except MyClientCertFailureException:
    # handle the exception

Option 3: use application default SSL credentials. It searches and uses the command in a context aware metadata file, which is available on devices with endpoint verification support (Note that GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable must be explicitly set to true). See https://cloud.google.com/endpoint-verification/docs/overview:

try:
    default_ssl_credentials = SslCredentials()
except:
    # Exception can be raised if the context aware metadata is malformed.
    # See :class:`SslCredentials` for the possible exceptions.

# Choose the endpoint based on the SSL credentials type.
if default_ssl_credentials.is_mtls:
    endpoint_to_use = mtls_endpoint
else:
    endpoint_to_use = regular_endpoint
channel = google.auth.transport.grpc.secure_authorized_channel(
    credentials, endpoint_to_use, request,
    ssl_credentials=default_ssl_credentials)

Option 4: not setting ssl_credentials and client_cert_callback. For devices without endpoint verification support or GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is not true, a regular TLS channel is created; otherwise, a mutual TLS channel is created, however, the call should be wrapped in a try/except block in case of malformed context aware metadata.

The following code uses regular_endpoint, it works the same no matter the created channle is regular or mutual TLS. Regular endpoint ignores client certificate and key:

channel = google.auth.transport.grpc.secure_authorized_channel(
    credentials, regular_endpoint, request)

The following code uses mtls_endpoint, if the created channle is regular, and API mtls_endpoint is confgured to require client SSL credentials, API calls using this channel will be rejected:

channel = google.auth.transport.grpc.secure_authorized_channel(
    credentials, mtls_endpoint, request)
Parameters
  • credentials (google.auth.credentials.Credentials) – The credentials to add to requests.

  • request (google.auth.transport.Request) – A HTTP transport request object used to refresh credentials as needed. Even though gRPC is a separate transport, there’s no way to refresh the credentials without using a standard http transport.

  • target (str) – The host and port of the service.

  • ssl_credentials (grpc.ChannelCredentials) – Optional SSL channel credentials. This can be used to specify different certificates. This argument is mutually exclusive with client_cert_callback; providing both will raise an exception. If ssl_credentials and client_cert_callback are None, application default SSL credentials are used if GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is explicitly set to true, otherwise one way TLS SSL credentials are used.

  • client_cert_callback (Callable [ , bytes, bytes ]) – Optional callback function to obtain client certicate and key for mutual TLS connection. This argument is mutually exclusive with ssl_credentials; providing both will raise an exception. This argument does nothing unless GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is explicitly set to true.

  • kwargs – Additional arguments to pass to grpc.secure_channel().

Returns

The created gRPC channel.

Return type

grpc.Channel

Raises

google.auth.exceptions.MutualTLSChannelError – If mutual TLS channel creation failed for any reason.

class SslCredentials[source]

Bases: object

Class for application default SSL credentials.

The behavior is controlled by GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable whose default value is false. Client certificate will not be used unless the environment variable is explicitly set to true. See https://google.aip.dev/auth/4114

If the environment variable is true, then for devices with endpoint verification support, a device certificate will be automatically loaded and mutual TLS will be established. See https://cloud.google.com/endpoint-verification/docs/overview.

property ssl_credentials

Get the created SSL channel credentials.

For devices with endpoint verification support, if the device certificate loading has any problems, corresponding exceptions will be raised. For a device without endpoint verification support, no exceptions will be raised.

Returns

The created grpc channel credentials.

Return type

grpc.ChannelCredentials

Raises

google.auth.exceptions.MutualTLSChannelError – If mutual TLS channel creation failed for any reason.

property is_mtls

Indicates if the created SSL channel credentials is mutual TLS.