def _make_delegated_credentials(credentials, user_email, scopes):
"""Make delegated credentials.
Allows a service account to impersonate the user passed in `user_email`,
using a restricted set of scopes.
Args:
credentials (service_account.Credentials): The service account credentials.
user_email (str): The email for the user to impersonate.
scopes (list): A list of scopes.
Returns:
service_account.Credentials: The delegated credentials
"""
request = requests.Request()
credentials = with_scopes_if_required(credentials, _TOKEN_SCOPE)
credentials.refresh(request)
email = credentials.service_account_email
signer = iam.Signer(
request,
credentials,
email)
return service_account.Credentials(
signer,
email,
_TOKEN_URI,
scopes=scopes,
subject=user_email)
def AuthorizeHttp(http, credentials, scopes=None):
"""Helper function to apply credentials to an HTTP client."""
if not credentials:
return http # TODO: try to use default credentials
if scopes:
credentials = ga_credentials.with_scopes_if_required(credentials, scopes)
return google_auth_httplib2.AuthorizedHttp(credentials, http)
def ApplyHeader(headers, credentials, scopes=None):
"""Helper function to apply credentials to request headers."""
if not credentials:
return # TODO: try to use default credentials
if scopes:
credentials = ga_credentials.with_scopes_if_required(credentials, scopes)
credentials.apply(headers)
def test_create_scoped_if_required_scoped():
unscoped_credentials = RequiresScopedCredentialsImpl()
scoped_credentials = credentials.with_scopes_if_required(
unscoped_credentials, ["one", "two"])
assert scoped_credentials is not unscoped_credentials
assert not scoped_credentials.requires_scopes
assert scoped_credentials.has_scopes(["one", "two"])
def _get_build_request(self):
credentials = with_scopes_if_required(
self._credentials, list(CLOUD_SCOPES))
# FROM: https://github.com/googleapis/google-api-python-client/blob/
# master/docs/thread_safety.md
# Create a new Http() object for every request
def build_request(http, *args, **kwargs):
new_http = google_auth_httplib2.AuthorizedHttp(
credentials, http=httplib2.Http())
return googleapiclient.http.HttpRequest(new_http, *args, **kwargs)
return build_request
def get_service(self, method: int = 0):
# for some reason if i put this outside the function and call self.build it throws an error. WTF im gonna cry
if method == 0:
# Stolen from Google's client source code from more useful clients
# https://github.com/googleapis/python-bigquery/blob/master/google/cloud/bigquery/client.py
# which called the following:
# https://googleapis.dev/python/google-cloud-core/latest/_modules/google/cloud/client.html#ClientWithProject
# This just copies from there and it works (this might be the only one that works in the Cloud)
credentials, _ = google_auth_default()
credentials = google_auth_credentials.with_scopes_if_required(
credentials, self.SCOPE)
service = build('calendar', 'v3', credentials=credentials)
self.service = service
elif method == 1:
# This would be a desirable outcome since we don't need an extra cred file
# The following was a suggestion but you need to manually share the calendar with the service account:
# https://stackoverflow.com/questions/56145686/calendarlist-returns-empty-result-set-with-service-account
service_acc = os.environ.get('GOOGLE_APPLICATION_CREDENTIALS')
credentials = service_account.Credentials.from_service_account_file(
service_acc, scopes=self.SCOPE)
else:
credentials = None
# The file token.pickle stores the user's access and refresh tokens, and is
# created automatically when the authorization flow completes for the first
# time.
f = FileManager()
file_name = "token.txt"
if f.exists(file_name):
s = f.read(file_name)
credentials = pickle.loads(codecs.decode(s.encode(), "base64"))
# If there are no (valid) credentials available, let the user log in.
if not credentials or not credentials.valid:
if credentials and credentials.expired and credentials.refresh_token:
credentials.refresh(Request())
else:
flow = InstalledAppFlow.from_client_secrets_file(
'calendar_credentials.json', self.SCOPE)
credentials = flow.run_local_server(port=0)
# Save the credentials for the next run
s = codecs.encode(pickle.dumps(credentials), "base64").decode()
f.write(file_name, s)
service = build('calendar', 'v3', credentials=credentials)
self.service = service
def get_auth_header(real_header=True, authorized=True):
if authorized:
credential_file = os.environ['GOOGLE_APPLICATION_CREDENTIALS']
with io.open(credential_file) as fh:
info = json.load(fh)
else:
info = UNAUTHORIZED_GCP_CREDENTIALS
credentials = service_account.Credentials.from_service_account_info(info)
credentials = with_scopes_if_required(credentials, scopes=["https://www.googleapis.com/auth/userinfo.email"])
r = google.auth.transport.requests.Request()
credentials.refresh(r)
r.session.close()
token = credentials.token if real_header else str(uuid.uuid4())
return {"Authorization": f"Bearer {token}"}
def get_delegated_credential(delegated_account, scopes):
"""Build delegated credentials required for accessing the gsuite APIs.
Args:
delegated_account (str): The account to delegate the service account to
use.
scopes (list): The list of required scopes for the service account.
Returns:
service_account.Credentials: Credentials as built by
google.oauth2.service_account.
"""
request = requests.Request()
# Get the "bootstrap" credentials that will be used to talk to the IAM
# API to sign blobs.
bootstrap_credentials, _ = google.auth.default()
bootstrap_credentials = with_scopes_if_required(bootstrap_credentials,
list(CLOUD_SCOPES))
# Refresh the boostrap credentials. This ensures that the information about
# this account, notably the email, is populated.
bootstrap_credentials.refresh(request)
# Create an IAM signer using the bootstrap credentials.
signer = iam.Signer(request, bootstrap_credentials,
bootstrap_credentials.service_account_email)
# Create OAuth 2.0 Service Account credentials using the IAM-based signer
# and the bootstrap_credential's service account email.
delegated_credentials = service_account.Credentials(
signer,
bootstrap_credentials.service_account_email,
_TOKEN_URI,
scopes=scopes,
subject=delegated_account)
return delegated_credentials
def __init__(self,
credentials=None,
quota_max_calls=None,
quota_period=None,
use_rate_limiter=False,
http=None,
project_id=None,
**kwargs):
"""Constructor.
Args:
api_name (str): The API name to wrap. More details here:
https://developers.google.com/api-client-library/python/apis/
versions (list): A list of version strings to initialize.
credentials (object): GoogleCredentials.
quota_max_calls (int): Allowed requests per <quota_period> for the
API.
quota_period (float): The time period to track requests over.
use_rate_limiter (bool): Set to false to disable the use of a rate
limiter for this service.
**kwargs (dict): Additional args such as version.
"""
self._use_cached_http = False
if not credentials:
# Only share the http object when using the default credentials.
self._use_cached_http = True
credentials, _ = google.auth.default()
self._credentials = with_scopes_if_required(credentials,
list(CLOUD_SCOPES))
if use_rate_limiter:
self._rate_limiter = RateLimiter(max_calls=quota_max_calls,
period=quota_period)
else:
self._rate_limiter = None
self._http = http
self.project_id = project_id
def __init__(self,
credentials=None,
quota_max_calls=None,
quota_period=None,
use_rate_limiter=False,
http=None,
project_id=None,
**kwargs):
"""Constructor.
Args:
api_name (str): The API name to wrap. More details here:
https://developers.google.com/api-client-library/python/apis/
versions (list): A list of version strings to initialize.
credentials (object): GoogleCredentials.
quota_max_calls (int): Allowed requests per <quota_period> for the
API.
quota_period (float): The time period to track requests over.
use_rate_limiter (bool): Set to false to disable the use of a rate
limiter for this service.
**kwargs (dict): Additional args such as version.
"""
self._use_cached_http = False
if not credentials:
# Only share the http object when using the default credentials.
self._use_cached_http = True
credentials, _ = google.auth.default()
self._credentials = with_scopes_if_required(credentials, list(CLOUD_SCOPES))
if use_rate_limiter:
self._rate_limiter = RateLimiter(max_calls=quota_max_calls,
period=quota_period)
else:
self._rate_limiter = None
self._http = http
self.project_id = project_id
def test_create_scoped_if_required_not_scopes():
unscoped_credentials = CredentialsImpl()
scoped_credentials = credentials.with_scopes_if_required(
unscoped_credentials, ["one", "two"])
assert scoped_credentials is unscoped_credentials
def default(scopes=None, request=None):
"""Gets the default credentials for the current environment.
`Application Default Credentials`_ provides an easy way to obtain
credentials to call Google APIs for server-to-server or local applications.
This function acquires credentials from the environment in the following
order:
1. If the environment variable ``GOOGLE_APPLICATION_CREDENTIALS`` is set
to the path of a valid service account JSON private key file, then it is
loaded and returned. The project ID returned is the project ID defined
in the service account file if available (some older files do not
contain project ID information).
2. If the `Google Cloud SDK`_ is installed and has application default
credentials set they are loaded and returned.
To enable application default credentials with the Cloud SDK run::
gcloud auth application-default login
If the Cloud SDK has an active project, the project ID is returned. The
active project can be set using::
gcloud config set project
3. If the application is running in the `App Engine standard environment`_
then the credentials and project ID from the `App Identity Service`_
are used.
4. If the application is running in `Compute Engine`_ or the
`App Engine flexible environment`_ then the credentials and project ID
are obtained from the `Metadata Service`_.
5. If no credentials are found,
:class:`~google.auth.exceptions.DefaultCredentialsError` will be raised.
.. _Application Default Credentials: https://developers.google.com\
/identity/protocols/application-default-credentials
.. _Google Cloud SDK: https://cloud.google.com/sdk
.. _App Engine standard environment: https://cloud.google.com/appengine
.. _App Identity Service: https://cloud.google.com/appengine/docs/python\
/appidentity/
.. _Compute Engine: https://cloud.google.com/compute
.. _App Engine flexible environment: https://cloud.google.com\
/appengine/flexible
.. _Metadata Service: https://cloud.google.com/compute/docs\
/storing-retrieving-metadata
Example::
import google.auth
credentials, project_id = google.auth.default()
Args:
scopes (Sequence[str]): The list of scopes for the credentials. If
specified, the credentials will automatically be scoped if
necessary.
request (google.auth.transport.Request): An object used to make
HTTP requests. This is used to detect whether the application
is running on Compute Engine. If not specified, then it will
use the standard library http client to make requests.
Returns:
Tuple[~google.auth.credentials.Credentials, Optional[str]]:
the current environment's credentials and project ID. Project ID
may be None, which indicates that the Project ID could not be
ascertained from the environment.
Raises:
~google.auth.exceptions.DefaultCredentialsError:
If no credentials were found, or if the credentials found were
invalid.
"""
from google.auth.credentials import with_scopes_if_required
explicit_project_id = os.environ.get(
environment_vars.PROJECT,
os.environ.get(environment_vars.LEGACY_PROJECT))
checkers = (_get_explicit_environ_credentials, _get_gcloud_sdk_credentials,
_get_gae_credentials, lambda: _get_gce_credentials(request))
for checker in checkers:
credentials, project_id = checker()
if credentials is not None:
credentials = with_scopes_if_required(credentials, scopes)
return credentials, explicit_project_id or project_id
raise exceptions.DefaultCredentialsError(_HELP_MESSAGE)
def default(scopes=None, request=None, quota_project_id=None, default_scopes=None):
"""Gets the default credentials for the current environment.
`Application Default Credentials`_ provides an easy way to obtain
credentials to call Google APIs for server-to-server or local applications.
This function acquires credentials from the environment in the following
order:
1. If the environment variable ``GOOGLE_APPLICATION_CREDENTIALS`` is set
to the path of a valid service account JSON private key file, then it is
loaded and returned. The project ID returned is the project ID defined
in the service account file if available (some older files do not
contain project ID information).
If the environment variable is set to the path of a valid external
account JSON configuration file (workload identity federation), then the
configuration file is used to determine and retrieve the external
credentials from the current environment (AWS, Azure, etc).
These will then be exchanged for Google access tokens via the Google STS
endpoint.
The project ID returned in this case is the one corresponding to the
underlying workload identity pool resource if determinable.
2. If the `Google Cloud SDK`_ is installed and has application default
credentials set they are loaded and returned.
To enable application default credentials with the Cloud SDK run::
gcloud auth application-default login
If the Cloud SDK has an active project, the project ID is returned. The
active project can be set using::
gcloud config set project
3. If the application is running in the `App Engine standard environment`_
(first generation) then the credentials and project ID from the
`App Identity Service`_ are used.
4. If the application is running in `Compute Engine`_ or `Cloud Run`_ or
the `App Engine flexible environment`_ or the `App Engine standard
environment`_ (second generation) then the credentials and project ID
are obtained from the `Metadata Service`_.
5. If no credentials are found,
:class:`~google.auth.exceptions.DefaultCredentialsError` will be raised.
.. _Application Default Credentials: https://developers.google.com\
/identity/protocols/application-default-credentials
.. _Google Cloud SDK: https://cloud.google.com/sdk
.. _App Engine standard environment: https://cloud.google.com/appengine
.. _App Identity Service: https://cloud.google.com/appengine/docs/python\
/appidentity/
.. _Compute Engine: https://cloud.google.com/compute
.. _App Engine flexible environment: https://cloud.google.com\
/appengine/flexible
.. _Metadata Service: https://cloud.google.com/compute/docs\
/storing-retrieving-metadata
.. _Cloud Run: https://cloud.google.com/run
Example::
import google.auth
credentials, project_id = google.auth.default()
Args:
scopes (Sequence[str]): The list of scopes for the credentials. If
specified, the credentials will automatically be scoped if
necessary.
request (Optional[google.auth.transport.Request]): An object used to make
HTTP requests. This is used to either detect whether the application
is running on Compute Engine or to determine the associated project
ID for a workload identity pool resource (external account
credentials). If not specified, then it will either use the standard
library http client to make requests for Compute Engine credentials
or a google.auth.transport.requests.Request client for external
account credentials.
quota_project_id (Optional[str]): The project ID used for
quota and billing.
default_scopes (Optional[Sequence[str]]): Default scopes passed by a
Google client library. Use 'scopes' for user-defined scopes.
Returns:
Tuple[~google.auth.credentials.Credentials, Optional[str]]:
the current environment's credentials and project ID. Project ID
may be None, which indicates that the Project ID could not be
ascertained from the environment.
Raises:
~google.auth.exceptions.DefaultCredentialsError:
If no credentials were found, or if the credentials found were
invalid.
"""
from google.auth.credentials import with_scopes_if_required
explicit_project_id = os.environ.get(
environment_vars.PROJECT, os.environ.get(environment_vars.LEGACY_PROJECT)
)
checkers = (
# Avoid passing scopes here to prevent passing scopes to user credentials.
# with_scopes_if_required() below will ensure scopes/default scopes are
# safely set on the returned credentials since requires_scopes will
# guard against setting scopes on user credentials.
lambda: _get_explicit_environ_credentials(quota_project_id=quota_project_id),
lambda: _get_gcloud_sdk_credentials(quota_project_id=quota_project_id),
_get_gae_credentials,
lambda: _get_gce_credentials(request),
)
for checker in checkers:
credentials, project_id = checker()
if credentials is not None:
credentials = with_scopes_if_required(
credentials, scopes, default_scopes=default_scopes
)
# For external account credentials, scopes are required to determine
# the project ID. Try to get the project ID again if not yet
# determined.
if not project_id and callable(
getattr(credentials, "get_project_id", None)
):
if request is None:
request = google.auth.transport.requests.Request()
project_id = credentials.get_project_id(request=request)
if quota_project_id:
credentials = credentials.with_quota_project(quota_project_id)
effective_project_id = explicit_project_id or project_id
if not effective_project_id:
_LOGGER.warning(
"No project ID could be determined. Consider running "
"`gcloud config set project` or setting the %s "
"environment variable",
environment_vars.PROJECT,
)
return credentials, effective_project_id
raise exceptions.DefaultCredentialsError(_HELP_MESSAGE)
def __init__(self,
api_name,
versions=None,
credentials=None,
quota_max_calls=None,
quota_period=None,
use_rate_limiter=False,
read_only=False,
use_versioned_discovery_doc=False,
**kwargs):
"""Constructor.
Args:
api_name (str): The API name to wrap. More details here:
https://developers.google.com/api-client-library/python/apis/
versions (list): A list of version strings to initialize.
credentials (object): GoogleCredentials.
quota_max_calls (int): Allowed requests per <quota_period> for the
API.
quota_period (float): The time period to track requests over.
use_rate_limiter (bool): Set to false to disable the use of a rate
limiter for this service.
read_only (bool): When set to true, disables any API calls that
would modify a resource within the repository.
use_versioned_discovery_doc (bool): When set to true, will use the
discovery doc with the version suffix in the filename.
**kwargs (dict): Additional args such as version.
"""
self._use_cached_http = False
if not credentials:
# Only share the http object when using the default credentials.
self._use_cached_http = True
credentials, _ = google.auth.default()
self._credentials = with_scopes_if_required(credentials,
list(CLOUD_SCOPES))
# Lock may be acquired multiple times in the same thread.
self._repository_lock = threading.RLock()
if use_rate_limiter:
self._rate_limiter = RateLimiter(max_calls=quota_max_calls,
period=quota_period)
else:
self._rate_limiter = None
self._read_only = read_only
self.name = api_name
# Look to see if the API is formally supported in Forseti.
supported_api = _supported_apis.SUPPORTED_APIS.get(api_name)
if not supported_api:
LOGGER.warn(
'API "%s" is not formally supported in Forseti, '
'proceed at your own risk.', api_name)
# See if the version is supported by Forseti.
# If no version is specified, use the supported API's default version.
if not versions and supported_api:
versions = [supported_api.get('default_version')]
self.versions = versions
if supported_api:
for version in versions:
if version not in supported_api.get('supported_versions', []):
LOGGER.warn(
'API "%s" version %s is not formally supported '
'in Forseti, proceed at your own risk.', api_name,
version)
self.is_private_api = None
if supported_api:
self.is_private_api = (_supported_apis.SUPPORTED_APIS.get(
api_name).get('is_private_api'))
self.gcp_services = {}
for version in versions:
self.gcp_services[version] = _create_service_api(
self._credentials, self.name, version, self.is_private_api,
kwargs.get('developer_key'),
kwargs.get('cache_discovery', False),
use_versioned_discovery_doc)
def default(scopes=None, request=None):
"""Gets the default credentials for the current environment.
`Application Default Credentials`_ provides an easy way to obtain
credentials to call Google APIs for server-to-server or local applications.
This function acquires credentials from the environment in the following
order:
1. If the environment variable ``GOOGLE_APPLICATION_CREDENTIALS`` is set
to the path of a valid service account JSON private key file, then it is
loaded and returned. The project ID returned is the project ID defined
in the service account file if available (some older files do not
contain project ID information).
2. If the `Google Cloud SDK`_ is installed and has application default
credentials set they are loaded and returned.
To enable application default credentials with the Cloud SDK run::
gcloud auth application-default login
If the Cloud SDK has an active project, the project ID is returned. The
active project can be set using::
gcloud config set project
3. If the application is running in the `App Engine standard environment`_
then the credentials and project ID from the `App Identity Service`_
are used.
4. If the application is running in `Compute Engine`_ or the
`App Engine flexible environment`_ then the credentials and project ID
are obtained from the `Metadata Service`_.
5. If no credentials are found,
:class:`~google.auth.exceptions.DefaultCredentialsError` will be raised.
.. _Application Default Credentials: https://developers.google.com\
/identity/protocols/application-default-credentials
.. _Google Cloud SDK: https://cloud.google.com/sdk
.. _App Engine standard environment: https://cloud.google.com/appengine
.. _App Identity Service: https://cloud.google.com/appengine/docs/python\
/appidentity/
.. _Compute Engine: https://cloud.google.com/compute
.. _App Engine flexible environment: https://cloud.google.com\
/appengine/flexible
.. _Metadata Service: https://cloud.google.com/compute/docs\
/storing-retrieving-metadata
Example::
import google.auth
credentials, project_id = google.auth.default()
Args:
scopes (Sequence[str]): The list of scopes for the credentials. If
specified, the credentials will automatically be scoped if
necessary.
request (google.auth.transport.Request): An object used to make
HTTP requests. This is used to detect whether the application
is running on Compute Engine. If not specified, then it will
use the standard library http client to make requests.
Returns:
Tuple[~google.auth.credentials.Credentials, Optional[str]]:
the current environment's credentials and project ID. Project ID
may be None, which indicates that the Project ID could not be
ascertained from the environment.
Raises:
~google.auth.exceptions.DefaultCredentialsError:
If no credentials were found, or if the credentials found were
invalid.
"""
from google.auth.credentials import with_scopes_if_required
explicit_project_id = os.environ.get(
environment_vars.PROJECT,
os.environ.get(environment_vars.LEGACY_PROJECT))
checkers = (
_get_explicit_environ_credentials,
_get_gcloud_sdk_credentials,
_get_gae_credentials,
lambda: _get_gce_credentials(request))
for checker in checkers:
credentials, project_id = checker()
if credentials is not None:
credentials = with_scopes_if_required(credentials, scopes)
effective_project_id = explicit_project_id or project_id
if not effective_project_id:
_LOGGER.warning(
'No project ID could be determined. Consider running '
'`gcloud config set project` or setting the %s '
'environment variable',
environment_vars.PROJECT)
return credentials, effective_project_id
raise exceptions.DefaultCredentialsError(_HELP_MESSAGE)
def __init__(self, creds):
self.__scoped_credentials = with_scopes_if_required(
creds, Connection.SCOPE)
