google.auth.transport.mtls module

Utilites for mutual TLS.

class UseMtlsEndpointMode(value)[source]

Bases: Enum

An enumeration.

has_default_client_cert_source(include_context_aware=True)[source]

Check if default client SSL credentials exists on the device.

Parameters:
  • include_context_aware (bool) – include_context_aware indicates if context_aware

  • skipped. (path location will be checked or should it be)

Returns:

indicating if the default client cert source exists.

Return type:

bool

default_client_cert_source()[source]

Get a callback which returns the default client SSL credentials.

Returns:

A callback which returns the default

client certificate bytes and private key bytes, both in PEM format.

Return type:

Callable, bytesbytes

Raises:

google.auth.exceptions.MutualTLSChannelError – If the default client SSL credentials don’t exist or are malformed.

default_client_encrypted_cert_source(cert_path, key_path)[source]

Get a callback which returns the default encrpyted client SSL credentials.

Parameters:
  • cert_path (str) – The cert file path. The default client certificate will be written to this file when the returned callback is called.

  • key_path (str) – The key file path. The default encrypted client key will be written to this file when the returned callback is called.

Returns:

A callback which generates the default

client certificate, encrpyted private key and passphrase. It writes the certificate and private key into the cert_path and key_path, and returns the cert_path, key_path and passphrase bytes.

Return type:

Callable, strstrbytes

Raises:

google.auth.exceptions.MutualTLSChannelError – If any problem occurs when loading or saving the client certificate and key.

should_use_client_cert()[source]

Returns boolean for whether the client certificate should be used for mTLS.

This is a wrapper around _mtls_helper.check_use_client_cert(). If GOOGLE_API_USE_CLIENT_CERTIFICATE is set to true or false, a corresponding bool value will be returned If GOOGLE_API_USE_CLIENT_CERTIFICATE is unset, the value will be inferred by reading a file pointed at by GOOGLE_API_CERTIFICATE_CONFIG, and verifying it contains a “workload” section. If so, the function will return True, otherwise False.

Returns:

indicating whether the client certificate should be used for mTLS.

Return type:

bool

load_default_client_cert(ctx: SSLContext) bool[source]

Load the default client certificate and key into an SSL context if configured.

If client certificates are enabled and a default client certificate source is found, the certificate and key are loaded into the SSL context.

Parameters:

ctx (ssl.SSLContext) – The SSL context to load the default client certificate and key into.

Returns:

True if client certificates are enabled and the default client

certificate was successfully loaded. False if client certificates are disabled or if no default certificate source is configured.

Return type:

bool

Raises:

google.auth.exceptions.MutualTLSChannelError – If the default client certificate or key is malformed.

get_default_ssl_context() SSLContext | None[source]

Get a default SSL context loaded with the default client certificate.

Returns:

An SSL context loaded with the default client

certificate, or None if client certificates are not configured or available.

Return type:

ssl.SSLContext

Raises:

google.auth.exceptions.MutualTLSChannelError – If the default client certificate or key is malformed.

should_use_mtls_endpoint(client_cert_available: bool | None = None) bool[source]

Determine whether to use an mTLS endpoint.

This relies on the GOOGLE_API_USE_MTLS_ENDPOINT environment variable. If set to “always”, returns True. If set to “never”, returns False. If set to “auto” or unset, returns whether a client certificate is available.

Parameters:

client_cert_available (Optionalbool) – indicating if a client certificate is available. If None, this is determined by checking if client certificates are enabled using should_use_client_cert().

Returns:

indicating if an mTLS endpoint should be used.

Return type:

bool