def Run(self, args):
"""Run the authentication command."""
if c_gce.Metadata().connected:
message = textwrap.dedent("""
You are running on a Google Compute Engine virtual machine.
The service credentials associated with this virtual machine
will automatically be used by Application Default
Credentials, so it is not necessary to use this command.
If you decide to proceed anyway, your user credentials may be visible
to others with access to this virtual machine. Are you sure you want
to authenticate with your personal account?
""")
console_io.PromptContinue(message=message,
throw_if_unattended=True,
cancel_on_no=True)
command_auth_util.PromptIfADCEnvVarIsSet()
# This reauth scope is only used here and when refreshing the access token.
scopes = (args.scopes
or auth_util.DEFAULT_SCOPES) + [config.REAUTH_SCOPE]
launch_browser = check_browser.ShouldLaunchBrowser(args.launch_browser)
if args.use_oauth2client:
if args.client_id_file:
creds = auth_util.DoInstalledAppBrowserFlow(
launch_browser=launch_browser,
scopes=scopes,
client_id_file=args.client_id_file)
else:
creds = auth_util.DoInstalledAppBrowserFlow(
launch_browser=launch_browser,
scopes=scopes,
client_id=auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID,
client_secret=auth_util.
DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
else:
properties.VALUES.auth.client_id.Set(
auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID)
properties.VALUES.auth.client_secret.Set(
auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
creds = auth_util.DoInstalledAppBrowserFlowGoogleAuth(
launch_browser, scopes, client_id_file=args.client_id_file)
if args.IsSpecified('client_id_file'):
command_auth_util.DumpADC(creds, quota_project_disabled=False)
elif args.disable_quota_project or (not args.add_quota_project):
command_auth_util.DumpADC(creds, quota_project_disabled=True)
else:
command_auth_util.DumpADCOptionalQuotaProject(creds)
return creds
def _authenticate_and_get_creds_file_path(existing_creds_file=None):
"""Ensures agent will be able to authenticate and returns creds."""
# Can't disable near "else" (https://github.com/PyCQA/pylint/issues/872).
# pylint:disable=protected-access
if existing_creds_file:
creds_file_path = _expand_path(existing_creds_file)
if not os.path.exists(creds_file_path):
raise OSError(
'Credentials file not found at {}. Check for typos and ensure a'
' creds file exists at the path, then re-run the command.'.
format(creds_file_path))
else:
creds_file_path = oauth2_client._get_well_known_file()
# pylint:enable=protected-access
if not os.path.exists(creds_file_path):
creds = login_util.DoInstalledAppBrowserFlowGoogleAuth(
scopes=(login_util.DEFAULT_SCOPES + [config.REAUTH_SCOPE]))
auth_util.DumpADCOptionalQuotaProject(creds)
return creds_file_path
def Run(self, args):
"""Run the authentication command."""
if args.cred_file:
cred_config = auth_util.GetCredentialsConfigFromFile(
args.cred_file)
else:
cred_config = None
scopes = GetScopes(args)
if not ShouldContinueLogin(cred_config):
return None
if args.cred_file:
return LoginWithCredFileConfig(cred_config, scopes, args.project,
args.activate, args.brief,
args.update_adc,
args.add_quota_project_to_adc,
args.account)
if ShouldUseCachedCredentials(args, scopes):
creds = c_store.Load(account=args.account, scopes=scopes)
return LoginAs(args.account, creds, args.project, args.activate,
args.brief, args.update_adc,
args.add_quota_project_to_adc)
# No valid creds, do the web flow.
creds = auth_util.DoInstalledAppBrowserFlowGoogleAuth(
scopes,
no_launch_browser=not args.launch_browser,
no_browser=args.no_browser,
remote_bootstrap=args.remote_bootstrap)
if not creds:
return
account = ExtractAndValidateAccount(args.account, creds)
# We got new creds, and they are for the correct user.
c_store.Store(creds, account, scopes)
return LoginAs(account, creds, args.project, args.activate, args.brief,
args.update_adc, args.add_quota_project_to_adc)
def Run(self, args):
"""Run the authentication command."""
# TODO(b/203102970): Remove this condition check after the bug is resolved
if properties.VALUES.auth.access_token_file.Get():
raise c_store.FlowError(
'auth/access_token_file or --access-token-file was set which is not '
'compatible with this command. Please unset the property and rerun '
'this command.')
if c_gce.Metadata().connected:
message = textwrap.dedent("""
You are running on a Google Compute Engine virtual machine.
The service credentials associated with this virtual machine
will automatically be used by Application Default
Credentials, so it is not necessary to use this command.
If you decide to proceed anyway, your user credentials may be visible
to others with access to this virtual machine. Are you sure you want
to authenticate with your personal account?
""")
console_io.PromptContinue(message=message,
throw_if_unattended=True,
cancel_on_no=True)
command_auth_util.PromptIfADCEnvVarIsSet()
if args.client_id_file and not args.launch_browser:
raise c_exc.InvalidArgumentException(
'--no-launch-browser',
'`--no-launch-browser` flow no longer works with the '
'`--client-id-file`. Please replace `--no-launch-browser` with '
'`--no-browser`.')
# This reauth scope is only used here and when refreshing the access token.
scopes = (args.scopes
or auth_util.DEFAULT_SCOPES) + [config.REAUTH_SCOPE]
properties.VALUES.auth.client_id.Set(
auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID)
properties.VALUES.auth.client_secret.Set(
auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
creds = auth_util.DoInstalledAppBrowserFlowGoogleAuth(
scopes,
client_id_file=args.client_id_file,
no_launch_browser=not args.launch_browser,
no_browser=args.no_browser,
remote_bootstrap=args.remote_bootstrap)
if not creds:
return
target_impersonation_principal, delegates = None, None
impersonation_service_accounts = properties.VALUES.auth.impersonate_service_account.Get(
)
if impersonation_service_accounts:
(target_impersonation_principal,
delegates) = c_store.ParseImpersonationAccounts(
impersonation_service_accounts)
if not target_impersonation_principal:
if args.IsSpecified('client_id_file'):
command_auth_util.DumpADC(creds, quota_project_disabled=False)
elif args.disable_quota_project:
command_auth_util.DumpADC(creds, quota_project_disabled=True)
else:
command_auth_util.DumpADCOptionalQuotaProject(creds)
else:
# TODO(b/184049366): Supports quota project with impersonated creds.
command_auth_util.DumpImpersonatedServiceAccountToADC(
creds,
target_principal=target_impersonation_principal,
delegates=delegates)
return creds
def Run(self, args):
"""Run the authentication command."""
scopes = config.CLOUDSDK_SCOPES
# Add REAUTH scope in case the user has 2fact activated.
# This scope is only used here and when refreshing the access token.
scopes += (config.REAUTH_SCOPE, )
if args.enable_gdrive_access:
scopes += (auth_util.GOOGLE_DRIVE_SCOPE, )
if c_devshell.IsDevshellEnvironment():
if c_devshell.HasDevshellAuth():
message = textwrap.dedent("""
You are already authenticated with gcloud when running
inside the Cloud Shell and so do not need to run this
command. Do you wish to proceed anyway?
""")
answer = console_io.PromptContinue(message=message)
if not answer:
return None
elif c_gce.Metadata().connected:
message = textwrap.dedent("""
You are running on a Google Compute Engine virtual machine.
It is recommended that you use service accounts for authentication.
You can run:
$ gcloud config set account `ACCOUNT`
to switch accounts if necessary.
Your credentials may be visible to others with access to this
virtual machine. Are you sure you want to authenticate with
your personal account?
""")
answer = console_io.PromptContinue(message=message)
if not answer:
return None
account = args.account
if account and not args.force:
try:
creds = c_store.Load(account=account, scopes=scopes)
except c_store.Error:
creds = None
if creds:
# Account already has valid creds, just switch to it.
log.warning(
'Re-using locally stored credentials for [{}]. '
'To fetch new credentials, re-run the command with the '
'`--force` flag.'.format(account))
return LoginAs(account, creds, args.project, args.activate,
args.brief, args.update_adc,
args.add_quota_project_to_adc)
# No valid creds, do the web flow.
launch_browser = check_browser.ShouldLaunchBrowser(args.launch_browser)
if args.use_oauth2client:
creds = auth_util.DoInstalledAppBrowserFlow(launch_browser, scopes)
web_flow_account = creds.id_token['email']
else:
creds = auth_util.DoInstalledAppBrowserFlowGoogleAuth(
launch_browser, scopes)
decoded_id_token = jwt.decode(creds.id_token, verify=False)
web_flow_account = decoded_id_token['email']
if account and account.lower() != web_flow_account.lower():
raise auth_exceptions.WrongAccountError(
'You attempted to log in as account [{account}] but the received '
'credentials were for account [{web_flow_account}].\n\n'
'Please check that your browser is logged in as account [{account}] '
'and that you are using the correct browser profile.'.format(
account=account, web_flow_account=web_flow_account))
account = web_flow_account
# We got new creds, and they are for the correct user.
c_store.Store(creds, account, scopes)
return LoginAs(account, creds, args.project, args.activate, args.brief,
args.update_adc, args.add_quota_project_to_adc)