def _delegated_credential(
cls,
credentials: Credentials,
subject: str,
scopes: List[str],
) -> ServiceAccountCredentials:
try:
admin_credentials = credentials.with_subject(subject).with_scopes(
scopes)
except AttributeError:
# When inside GCP, the credentials provided by the metadata service are immutable.
# https://github.com/GoogleCloudPlatform/professional-services/tree/master/examples/gce-to-adminsdk
request = requests.Request()
credentials.refresh(request)
# Create an IAM signer using the bootstrap credentials.
signer = iam.Signer(
request,
credentials,
credentials.service_account_email,
)
# Create OAuth 2.0 Service Account credentials using the IAM-based
# signer and the bootstrap_credential's service account email.
admin_credentials = ServiceAccountCredentials(
signer,
credentials.service_account_email,
TOKEN_URI,
scopes=scopes,
subject=subject,
)
return admin_credentials
async def _get_ephemeral(
client_session: aiohttp.ClientSession,
credentials: Credentials,
project: str,
instance: str,
pub_key: str,
) -> str:
"""Asynchronously requests an ephemeral certificate from the Cloud SQL Instance.
:type credentials: google.oauth2.service_account.Credentials
:param credentials: A credentials object
created from the google-auth library. Must be
using the SQL Admin API scopes. For more info, check out
https://google-auth.readthedocs.io/en/latest/.
:type project: str
:param project : A string representing the name of the project.
:type instance: str
:param instance: A string representing the name of the instance.
:type pub_key:
:param str: A string representing PEM-encoded RSA public key.
:rtype: str
:returns: An ephemeral certificate from the Cloud SQL instance that allows
authorized connections to the instance.
:raises TypeError: If one of the arguments passed in is None.
"""
logger.debug("Requesting ephemeral certificate")
if (not isinstance(credentials, Credentials)
or not isinstance(project, str)
or not isinstance(instance, str)
or not isinstance(pub_key, str)):
raise TypeError("Cannot take None as an argument.")
if not credentials.valid:
request = google.auth.transport.requests.Request()
credentials.refresh(request)
headers = {
"Authorization": "Bearer {}".format(credentials.token),
}
url = "https://www.googleapis.com/sql/{}/projects/{}/instances/{}/createEphemeral".format(
_sql_api_version, project, instance)
data = {"public_key": pub_key}
resp = await client_session.post(url,
headers=headers,
json=data,
raise_for_status=True)
ret_dict = json.loads(await resp.text())
return ret_dict["cert"]
def __refresh_credentials(self, credentials: Credentials) -> str:
# Attempt to refresh token if not currently valid
try:
auth_req = google.auth.transport.requests.Request()
credentials.refresh(auth_req)
except RefreshError as err:
logger.error("Could not get refreshed credentials for GCP. "
"Reauthentication Required.")
raise err
def _get_auth_token(self, credentials: Credentials) -> str:
"""
This method is used to get the authentication token.
Returns:
auth_token (str):
"""
# getting request object
auth_req = google.auth.transport.requests.Request()
credentials.refresh(auth_req) # refresh token
# check for valid credentials
auth_token = credentials.token
return auth_token
async def _get_metadata(
client_session: aiohttp.ClientSession,
credentials: Credentials,
project: str,
instance: str,
) -> Dict[str, Union[Dict, str]]:
"""Requests metadata from the Cloud SQL Instance
and returns a dictionary containing the IP addresses and certificate
authority of the Cloud SQL Instance.
:type credentials: google.oauth2.service_account.Credentials
:param service:
A credentials object created from the google-auth Python library.
Must have the SQL Admin API scopes. For more info check out
https://google-auth.readthedocs.io/en/latest/.
:type project: str
:param project:
A string representing the name of the project.
:type inst_name: str
:param project: A string representing the name of the instance.
:rtype: Dict[str: Union[Dict, str]]
:returns: Returns a dictionary containing a dictionary of all IP
addresses and their type and a string representing the
certificate authority.
:raises TypeError: If any of the arguments are not the specified type.
"""
if (not isinstance(credentials, Credentials)
or not isinstance(project, str)
or not isinstance(instance, str)):
raise TypeError("Arguments must be as follows: " +
"service (googleapiclient.discovery.Resource), " +
"proj_name (str) and inst_name (str).")
if not credentials.valid:
request = google.auth.transport.requests.Request()
credentials.refresh(request)
headers = {
"Authorization": "Bearer {}".format(credentials.token),
}
url = "https://www.googleapis.com/sql/{}/projects/{}/instances/{}".format(
_sql_api_version, project, instance)
logger.debug("Requesting metadata")
resp = await client_session.get(url,
headers=headers,
raise_for_status=True)
ret_dict = json.loads(await resp.text())
metadata = {
"ip_addresses":
{ip["type"]: ip["ipAddress"]
for ip in ret_dict["ipAddresses"]},
"server_ca_cert": ret_dict["serverCaCert"]["cert"],
}
return metadata
