def load_service_account_credentials(path, scopes=None): """ Gets service account credentials from JSON file at ``path``. Parameters ---------- path : str Path to credentials JSON file. scopes : list[str], optional A list of scopes to use when authenticating to Google APIs. See the `list of OAuth 2.0 scopes for Google APIs <https://developers.google.com/identity/protocols/googlescopes>`_. Returns ------- google.oauth2.service_account.Credentials Raises ------ pydata_google_auth.exceptions.PyDataCredentialsError If unable to load service credentials. Examples -------- Load credentials and use them to construct a BigQuery client. .. code-block:: python import pydata_google_auth import google.cloud.bigquery credentials = pydata_google_auth.load_service_account_credentials( "/home/username/keys/google-service-account-credentials.json", ) client = google.cloud.bigquery.BigQueryClient( credentials=credentials, project=credentials.project_id ) """ credentials = cache._load_service_account_credentials_from_file( path, scopes=scopes) if not credentials: raise exceptions.PyDataCredentialsError("Could not load credentials.") return credentials
def load_user_credentials(path): """ Gets user account credentials from JSON file at ``path``. Parameters ---------- path : str Path to credentials JSON file. Returns ------- google.auth.credentials.Credentials Raises ------ pydata_google_auth.exceptions.PyDataCredentialsError If unable to load user credentials. Examples -------- Load credentials and use them to construct a BigQuery client. .. code-block:: python import pydata_google_auth import google.cloud.bigquery credentials = pydata_google_auth.load_user_credentials( "/home/username/keys/google-credentials.json", ) client = google.cloud.bigquery.BigQueryClient( credentials=credentials, project="my-project-id" ) """ credentials = cache._load_user_credentials_from_file(path) if not credentials: raise exceptions.PyDataCredentialsError("Could not load credentials.") return credentials
def default( scopes, client_id=None, client_secret=None, credentials_cache=cache.READ_WRITE, use_local_webserver=False, auth_local_webserver=None, ): """ Get credentials and default project for accessing Google APIs. This method first attempts to get credentials via the :func:`google.auth.default` function. If it is unable to get valid credentials, it then attempts to get user account credentials via the :func:`pydata_google_auth.get_user_credentials` function. Parameters ---------- scopes : list[str] A list of scopes to use when authenticating to Google APIs. See the `list of OAuth 2.0 scopes for Google APIs <https://developers.google.com/identity/protocols/googlescopes>`_. client_id : str, optional The client secrets to use when prompting for user credentials. Defaults to a client ID associated with pydata-google-auth. If you are a tool or library author, you must override the default value with a client ID associated with your project. Per the `Google APIs terms of service <https://developers.google.com/terms/>`_, you must not mask your API client's identity when using Google APIs. client_secret : str, optional The client secrets to use when prompting for user credentials. Defaults to a client secret associated with pydata-google-auth. If you are a tool or library author, you must override the default value with a client secret associated with your project. Per the `Google APIs terms of service <https://developers.google.com/terms/>`_, you must not mask your API client's identity when using Google APIs. credentials_cache : pydata_google_auth.cache.CredentialsCache, optional An object responsible for loading and saving user credentials. By default, pydata-google-auth reads and writes credentials in ``$HOME/.config/pydata/pydata_google_credentials.json`` or ``$APPDATA/.config/pydata/pydata_google_credentials.json`` on Windows. use_local_webserver : bool, optional Use a local webserver for the user authentication :class:`google_auth_oauthlib.flow.InstalledAppFlow`. Defaults to ``False``, which requests a token via the console. auth_local_webserver : deprecated Use the ``use_local_webserver`` parameter instead. Returns ------- credentials, project_id : tuple[google.auth.credentials.Credentials, str or None] credentials : OAuth 2.0 credentials for accessing Google APIs project_id : A default Google developer project ID, if one could be determined from the credentials. For example, this returns the project ID associated with a service account when using a service account key file. It returns None when using user-based credentials. Raises ------ pydata_google_auth.exceptions.PyDataCredentialsError If unable to get valid credentials. """ if auth_local_webserver is not None: use_local_webserver = auth_local_webserver # Try to retrieve Application Default Credentials credentials, default_project = get_application_default_credentials(scopes) if credentials and credentials.valid: return credentials, default_project credentials = get_user_credentials( scopes, client_id=client_id, client_secret=client_secret, credentials_cache=credentials_cache, use_local_webserver=use_local_webserver, ) if not credentials or not credentials.valid: raise exceptions.PyDataCredentialsError("Could not get any valid credentials.") return credentials, None
def get_user_credentials( scopes, client_id=None, client_secret=None, credentials_cache=cache.READ_WRITE, use_local_webserver=False, auth_local_webserver=None, ): """ Gets user account credentials. This function authenticates using user credentials, either loading saved credentials from the cache or by going through the OAuth 2.0 flow. The default read-write cache attempts to read credentials from a file on disk. If these credentials are not found or are invalid, it begins an OAuth 2.0 flow to get credentials. You'll open a browser window asking for you to authenticate to your Google account using the product name ``PyData Google Auth``. The permissions it requests correspond to the scopes you've provided. Additional information on the user credentails authentication mechanism can be found `here <https://developers.google.com/identity/protocols/OAuth2#clientside/>`__. Parameters ---------- scopes : list[str] A list of scopes to use when authenticating to Google APIs. See the `list of OAuth 2.0 scopes for Google APIs <https://developers.google.com/identity/protocols/googlescopes>`_. client_id : str, optional The client secrets to use when prompting for user credentials. Defaults to a client ID associated with pydata-google-auth. If you are a tool or library author, you must override the default value with a client ID associated with your project. Per the `Google APIs terms of service <https://developers.google.com/terms/>`_, you must not mask your API client's identity when using Google APIs. client_secret : str, optional The client secrets to use when prompting for user credentials. Defaults to a client secret associated with pydata-google-auth. If you are a tool or library author, you must override the default value with a client secret associated with your project. Per the `Google APIs terms of service <https://developers.google.com/terms/>`_, you must not mask your API client's identity when using Google APIs. credentials_cache : pydata_google_auth.cache.CredentialsCache, optional An object responsible for loading and saving user credentials. By default, pydata-google-auth reads and writes credentials in ``$HOME/.config/pydata/pydata_google_credentials.json`` or ``$APPDATA/.config/pydata/pydata_google_credentials.json`` on Windows. use_local_webserver : bool, optional Use a local webserver for the user authentication :class:`google_auth_oauthlib.flow.InstalledAppFlow`. Defaults to ``False``, which requests a token via the console. auth_local_webserver : deprecated Use the ``use_local_webserver`` parameter instead. Returns ------- credentials : google.oauth2.credentials.Credentials Credentials for the user, with the requested scopes. Raises ------ pydata_google_auth.exceptions.PyDataCredentialsError If unable to get valid user credentials. """ if auth_local_webserver is not None: use_local_webserver = auth_local_webserver # Use None as default for client_id and client_secret so that the values # aren't included in the docs. A string of bytes isn't useful for the # documentation and might encourage the values to be used outside of this # library. if client_id is None: client_id = CLIENT_ID if client_secret is None: client_secret = CLIENT_SECRET credentials = credentials_cache.load() client_config = { "installed": { "client_id": client_id, "client_secret": client_secret, "redirect_uris": ["urn:ietf:wg:oauth:2.0:oob"], "auth_uri": GOOGLE_AUTH_URI, "token_uri": GOOGLE_TOKEN_URI, } } if credentials is None: app_flow = flow.InstalledAppFlow.from_client_config( client_config, scopes=scopes ) try: if use_local_webserver: credentials = app_flow.run_local_server() else: credentials = app_flow.run_console() except oauthlib.oauth2.rfc6749.errors.OAuth2Error as exc: raise exceptions.PyDataCredentialsError( "Unable to get valid credentials: {}".format(exc) ) credentials_cache.save(credentials) if credentials and not credentials.valid: request = google.auth.transport.requests.Request() credentials.refresh(request) return credentials