def test_sign_blob(self):
# Setup Expected Response
key_id = "keyId-1134673157"
signed_blob = b"-32"
expected_response = {"key_id": key_id, "signed_blob": signed_blob}
expected_response = common_pb2.SignBlobResponse(**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = iam_credentials_v1.IAMCredentialsClient()
# Setup Request
name = client.service_account_path("[PROJECT]", "[SERVICE_ACCOUNT]")
payload = b"-114"
response = client.sign_blob(name, payload)
assert expected_response == response
assert len(channel.requests) == 1
expected_request = common_pb2.SignBlobRequest(name=name, payload=payload)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def sign_blob(
self,
name,
payload,
delegates=None,
retry=google.api_core.gapic_v1.method.DEFAULT,
timeout=google.api_core.gapic_v1.method.DEFAULT,
metadata=None,
):
"""
Signs a blob using a service account's system-managed private key.
Example:
>>> from google.cloud import iam_credentials_v1
>>>
>>> client = iam_credentials_v1.IAMCredentialsClient()
>>>
>>> name = client.service_account_path('[PROJECT]', '[SERVICE_ACCOUNT]')
>>>
>>> # TODO: Initialize `payload`:
>>> payload = b''
>>>
>>> response = client.sign_blob(name, payload)
Args:
name (str): The resource name of the service account for which the credentials are
requested, in the following format:
``projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}``.
payload (bytes): The bytes to sign.
delegates (list[str]): The sequence of service accounts in a delegation chain. Each service
account must be granted the ``roles/iam.serviceAccountTokenCreator``
role on its next service account in the chain. The last service account
in the chain must be granted the
``roles/iam.serviceAccountTokenCreator`` role on the service account
that is specified in the ``name`` field of the request.
The delegates must have the following format:
``projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}``
retry (Optional[google.api_core.retry.Retry]): A retry object used
to retry requests. If ``None`` is specified, requests will
be retried using a default configuration.
timeout (Optional[float]): The amount of time, in seconds, to wait
for the request to complete. Note that if ``retry`` is
specified, the timeout applies to each individual attempt.
metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
that is provided to the method.
Returns:
A :class:`~google.cloud.iam_credentials_v1.types.SignBlobResponse` instance.
Raises:
google.api_core.exceptions.GoogleAPICallError: If the request
failed for any reason.
google.api_core.exceptions.RetryError: If the request failed due
to a retryable error and retry attempts failed.
ValueError: If the parameters are invalid.
"""
# Wrap the transport method to add retry and timeout logic.
if "sign_blob" not in self._inner_api_calls:
self._inner_api_calls[
"sign_blob"] = google.api_core.gapic_v1.method.wrap_method(
self.transport.sign_blob,
default_retry=self._method_configs["SignBlob"].retry,
default_timeout=self._method_configs["SignBlob"].timeout,
client_info=self._client_info,
)
request = common_pb2.SignBlobRequest(name=name,
payload=payload,
delegates=delegates)
if metadata is None:
metadata = []
metadata = list(metadata)
try:
routing_header = [("name", name)]
except AttributeError:
pass
else:
routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
routing_header)
metadata.append(routing_metadata)
return self._inner_api_calls["sign_blob"](request,
retry=retry,
timeout=timeout,
metadata=metadata)
