feat: implement get_project_id() for google.auth.external_account.Credentials
#631
Conversation
Co-authored-by: Tres Seaver <[email protected]>
* chore: updated CHANGELOG.md [ci skip] * chore: updated setup.cfg [ci skip] * chore: updated setup.py Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Migrate signBlob from iam.googleapis.com to iamcredentials.googleapis.com. This API is deprecated and will be shutdown in one year. This is used google.auth.iam.Signer. Added a system_test to sanity check the implementation.
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
* This patch for </issues/501> includes the following fixes: - The access token is always set to `None`, so the fix involves using (the access) `token` from the saved JSON credentials file. - For refresh needs, `expiry` also needs to be saved via `to_json()`. - DUMP: As `expiry` is a `datetime.datetime` object, serialize to `datetime.isoformat()` in the same [`oauth2client` format](https://github.com/googleapis/oauth2client/blob/master/oauth2client/client.py#L55) for consistency. - LOAD: Add code to restore `expiry` back to `datetime.datetime` object when imported. - LOAD: If `expiry` was unsaved, automatically set it as expired so refresh takes place. - Minor `scopes` updates - DUMP: Add property for `scopes` so `to_json()` can grab it - LOAD: `scopes` may be saved as a string instead of a JSON array (Python list), so ensure it is Sequence[str] when imported.
* feat: asyncio http request logic and asynchronous credentials logic (#572) Co-authored-by: Anirudh Baddepudi <[email protected]>
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Fix #618. Removes aiohttp from required dependencies to lessen dependency tree for google-auth. This will need to be looked at again as more folks use aiohttp and once the surfaces goes to public visibility.
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Refs #595 (comment) I see no point in checking whether someone is running a version of https://github.com/pyca/cryptography/ from 2014 that doesn't even compile against modern versions of OpenSSL anymore.
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
google-cla
bot
added
the
cla: no
tseaver
changed the title
get_project_id() for google.auth.external_account.Credentialsget_project_id() for google.auth.external_account.Credentials
Part of #579 This helper is used with '?recursive=true' in one place, and can now be used by IDTokenCredentials for requests with query parameters to the metadata identity end-point. This change will allow making requests to the token end-point with '?scopes=..' query parameters.
|
@bojeil-google Please rebase your branch against the current $ git checkout master
$ git pull upstream master # assuming this repo is the `upstream` remote
$ git checkout external_account_project_id
$ git rebase -i master # edit out any commits except for the last
$ git push -f origin external_account_project_id |
…Credentials This is introduced to support the current pattern of using the Auth library: `credentials, project_id = google.auth.default()`
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
busunkim96
added
cla: yes
8 participants
This is introduced to support the current pattern of using the Auth library:
credentials, project_id = google.auth.default()This will be added to the project ID determination logic:
google-auth-library-python/google/auth/_default.py
Line 338 in 3b3172e
This will first determine the project number from the STS audience:
//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/...It will then call cloud resource manager to determine the project information:
https://cloudresourcemanager.googleapis.com/v1/projects/$PROJECT_NUMBER
This may fail for the following reasons:
https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes
To reduce cost of this API, we will fail quickly and not retry and we will use scopes provided as is.