def test_sign_jwt(self): # Setup Expected Response key_id = "keyId-1134673157" signed_jwt = "signedJwt-979546844" expected_response = {"key_id": key_id, "signed_jwt": signed_jwt} expected_response = common_pb2.SignJwtResponse(**expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = iam_credentials_v1.IAMCredentialsClient() # Setup Request name = client.service_account_path("[PROJECT]", "[SERVICE_ACCOUNT]") payload = "-114" response = client.sign_jwt(name, payload) assert expected_response == response assert len(channel.requests) == 1 expected_request = common_pb2.SignJwtRequest(name=name, payload=payload) actual_request = channel.requests[0][1] assert expected_request == actual_request
def sign_jwt( self, name, payload, delegates=None, retry=google.api_core.gapic_v1.method.DEFAULT, timeout=google.api_core.gapic_v1.method.DEFAULT, metadata=None, ): """ Signs a JWT using a service account's system-managed private key. Example: >>> from google.cloud import iam_credentials_v1 >>> >>> client = iam_credentials_v1.IAMCredentialsClient() >>> >>> name = client.service_account_path('[PROJECT]', '[SERVICE_ACCOUNT]') >>> >>> # TODO: Initialize `payload`: >>> payload = '' >>> >>> response = client.sign_jwt(name, payload) Args: name (str): The resource name of the service account for which the credentials are requested, in the following format: ``projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}``. payload (str): The JWT payload to sign: a JSON object that contains a JWT Claims Set. delegates (list[str]): The sequence of service accounts in a delegation chain. Each service account must be granted the ``roles/iam.serviceAccountTokenCreator`` role on its next service account in the chain. The last service account in the chain must be granted the ``roles/iam.serviceAccountTokenCreator`` role on the service account that is specified in the ``name`` field of the request. The delegates must have the following format: ``projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`` retry (Optional[google.api_core.retry.Retry]): A retry object used to retry requests. If ``None`` is specified, requests will be retried using a default configuration. timeout (Optional[float]): The amount of time, in seconds, to wait for the request to complete. Note that if ``retry`` is specified, the timeout applies to each individual attempt. metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata that is provided to the method. Returns: A :class:`~google.cloud.iam_credentials_v1.types.SignJwtResponse` instance. Raises: google.api_core.exceptions.GoogleAPICallError: If the request failed for any reason. google.api_core.exceptions.RetryError: If the request failed due to a retryable error and retry attempts failed. ValueError: If the parameters are invalid. """ # Wrap the transport method to add retry and timeout logic. if "sign_jwt" not in self._inner_api_calls: self._inner_api_calls[ "sign_jwt"] = google.api_core.gapic_v1.method.wrap_method( self.transport.sign_jwt, default_retry=self._method_configs["SignJwt"].retry, default_timeout=self._method_configs["SignJwt"].timeout, client_info=self._client_info, ) request = common_pb2.SignJwtRequest(name=name, payload=payload, delegates=delegates) if metadata is None: metadata = [] metadata = list(metadata) try: routing_header = [("name", name)] except AttributeError: pass else: routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata( routing_header) metadata.append(routing_metadata) return self._inner_api_calls["sign_jwt"](request, retry=retry, timeout=timeout, metadata=metadata)