def Run(self, args): """Run the authentication command.""" if c_gce.Metadata().connected: message = textwrap.dedent(""" You are running on a Google Compute Engine virtual machine. The service credentials associated with this virtual machine will automatically be used by Application Default Credentials, so it is not necessary to use this command. If you decide to proceed anyway, your user credentials may be visible to others with access to this virtual machine. Are you sure you want to authenticate with your personal account? """) console_io.PromptContinue(message=message, throw_if_unattended=True, cancel_on_no=True) override_file = auth_util.AdcEnvVariable() if override_file: message = textwrap.dedent(""" The environment variable [{envvar}] is set to: [{override_file}] Credentials will still be generated to the default location: [{default_file}] To use these credentials, unset this environment variable before running your application. """.format(envvar=client.GOOGLE_APPLICATION_CREDENTIALS, override_file=override_file, default_file=auth_util.ADCFilePath())) console_io.PromptContinue(message=message, throw_if_unattended=True, cancel_on_no=True) scopes = args.scopes or auth_util.DEFAULT_SCOPES launch_browser = check_browser.ShouldLaunchBrowser(args.launch_browser) if args.client_id_file: creds = auth_util.DoInstalledAppBrowserFlow( launch_browser=launch_browser, scopes=scopes, client_id_file=args.client_id_file) else: creds = auth_util.DoInstalledAppBrowserFlow( launch_browser=launch_browser, scopes=scopes, client_id=auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID, client_secret=auth_util. DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET) full_path = auth_util.SaveCredentialsAsADC(creds) log.status.Print( '\nCredentials saved to file: [{f}]'.format(f=full_path)) log.status.Print( '\n' 'These credentials will be used by any library that requests\n' 'Application Default Credentials.\n' '\n' 'To generate an access token for other uses, run:\n' ' gcloud auth application-default print-access-token') return creds
def BrowseApp(project, service, version, launch_browser): """Let you browse the given service at the given version. Args: project: str, project ID. service: str, specific service, 'default' if None version: str, specific version, latest if None launch_browser: boolean, if False only print url Returns: None if the browser should open the URL The relevant output as a dict for calliope format to print if not Raises: MissingApplicationError: If an app does not exist. """ try: url = deploy_command_util.GetAppHostname(app_id=project, service=service, version=version, use_ssl=appinfo.SECURE_HTTPS, deploy=False) except api_lib_exceptions.NotFoundError: log.debug('No app found:', exc_info=True) raise exceptions.MissingApplicationError(project) if check_browser.ShouldLaunchBrowser(launch_browser): OpenURL(url) return None else: return { 'url': url, 'service': service or 'default', 'version': version, }
def Run(self, args): """Run the authentication command.""" if c_gce.Metadata().connected: message = textwrap.dedent(""" You are running on a Google Compute Engine virtual machine. The service credentials associated with this virtual machine will automatically be used by Application Default Credentials, so it is not necessary to use this command. If you decide to proceed anyway, your user credentials may be visible to others with access to this virtual machine. Are you sure you want to authenticate with your personal account? """) console_io.PromptContinue(message=message, throw_if_unattended=True, cancel_on_no=True) command_auth_util.PromptIfADCEnvVarIsSet() scopes = args.scopes or auth_util.DEFAULT_SCOPES # This reauth scope is only used here and when refreshing the access token. scopes += [config.REAUTH_SCOPE] launch_browser = check_browser.ShouldLaunchBrowser(args.launch_browser) if args.client_id_file: creds = auth_util.DoInstalledAppBrowserFlow( launch_browser=launch_browser, scopes=scopes, client_id_file=args.client_id_file) else: creds = auth_util.DoInstalledAppBrowserFlow( launch_browser=launch_browser, scopes=scopes, client_id=auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID, client_secret=auth_util. DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET) if args.IsSpecified('client_id_file'): full_path = c_creds.ADC(creds).DumpADCToFile() else: full_path = c_creds.ADC(creds).DumpExtendedADCToFile() log.status.Print( '\nCredentials saved to file: [{f}]'.format(f=full_path)) log.status.Print( '\nThese credentials will be used by any library that requests ' 'Application Default Credentials (ADC).') quota_project = command_auth_util.GetQuotaProjectFromADC() if quota_project: log.status.Print( "\nQuota project '{}' was added to ADC which can be used by Google " 'client libraries for billing and quota. To just ' 'update the quota project in ADC, ' 'run $gcloud auth application-default set-quota-project.'. format(quota_project)) return creds
def Run(self, args): """Run the authentication command.""" if c_gce.Metadata().connected: message = textwrap.dedent(""" You are running on a Google Compute Engine virtual machine. The service credentials associated with this virtual machine will automatically be used by Application Default Credentials, so it is not necessary to use this command. If you decide to proceed anyway, your user credentials may be visible to others with access to this virtual machine. Are you sure you want to authenticate with your personal account? """) console_io.PromptContinue(message=message, throw_if_unattended=True, cancel_on_no=True) command_auth_util.PromptIfADCEnvVarIsSet() # This reauth scope is only used here and when refreshing the access token. scopes = (args.scopes or auth_util.DEFAULT_SCOPES) + [config.REAUTH_SCOPE] launch_browser = check_browser.ShouldLaunchBrowser(args.launch_browser) if args.use_oauth2client: if args.client_id_file: creds = auth_util.DoInstalledAppBrowserFlow( launch_browser=launch_browser, scopes=scopes, client_id_file=args.client_id_file) else: creds = auth_util.DoInstalledAppBrowserFlow( launch_browser=launch_browser, scopes=scopes, client_id=auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID, client_secret=auth_util. DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET) else: properties.VALUES.auth.client_id.Set( auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID) properties.VALUES.auth.client_secret.Set( auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET) creds = auth_util.DoInstalledAppBrowserFlowGoogleAuth( launch_browser, scopes, client_id_file=args.client_id_file) if args.IsSpecified('client_id_file'): command_auth_util.DumpADC(creds, quota_project_disabled=False) elif args.disable_quota_project or (not args.add_quota_project): command_auth_util.DumpADC(creds, quota_project_disabled=True) else: command_auth_util.DumpADCOptionalQuotaProject(creds) return creds
def DoInstalledAppBrowserFlowGoogleAuth(scopes, client_id_file=None, no_launch_browser=False, no_browser=False, remote_bootstrap=None): """Launches a 3LO oauth2 flow to get google-auth credentials. Args: scopes: [str], The list of scopes to authorize. client_id_file: str, The path to a file containing the client id and secret to use for the flow. If None, the default client id for the Cloud SDK is used. no_launch_browser: bool, True if users specify --no-launch-browser flag to use the oob auth flow. no_browser: bool, True if users specify --no-browser flag to ask another gcloud instance to help with authorization. remote_bootstrap: str, The auth parameters specified by --remote-bootstrap flag. Once used, it means the command is to help authorize another gcloud (i.e. gcloud without access to browser). Returns: core.credentials.google_auth_credentials.Credentials, The credentials obtained from the flow. """ if client_id_file: AssertClientSecretIsInstalledType(client_id_file) client_config = _CreateGoogleAuthClientConfig(client_id_file) can_launch_browser = check_browser.ShouldLaunchBrowser( attempt_launch_browser=True) if no_browser: user_creds = NoBrowserFlowRunner(scopes, client_config).Run() elif remote_bootstrap: if not can_launch_browser: raise c_flow.WebBrowserInaccessible( 'Cannot launch browser. Please run this command on a machine ' 'where gcloud can launch a web browser.') user_creds = NoBrowserHelperRunner( scopes, client_config).Run(partial_auth_url=remote_bootstrap) elif no_launch_browser: user_creds = OobFlowRunner(scopes, client_config).Run() elif not can_launch_browser: user_creds = NoBrowserFlowRunner(scopes, client_config).Run() else: user_creds = BrowserFlowWithNoBrowserFallbackRunner( scopes, client_config).Run() if user_creds: return c_google_auth.Credentials.FromGoogleAuthUserCredentials( user_creds)
def Run(self, args): """Run the authentication command.""" scopes = config.CLOUDSDK_SCOPES # Add REAUTH scope in case the user has 2fact activated. # This scope is only used here and when refreshing the access token. scopes += (config.REAUTH_SCOPE,) if args.enable_gdrive_access: scopes += (auth_util.GOOGLE_DRIVE_SCOPE,) if c_devshell.IsDevshellEnvironment(): message = """ You are already authenticated with gcloud when running inside the Cloud Shell and so do not need to run this command. Do you wish to proceed anyway? """ answer = console_io.PromptContinue(message=message) if not answer: return None elif c_gce.Metadata().connected: message = textwrap.dedent(""" You are running on a Google Compute Engine virtual machine. It is recommended that you use service accounts for authentication. You can run: $ gcloud config set account `ACCOUNT` to switch accounts if necessary. Your credentials may be visible to others with access to this virtual machine. Are you sure you want to authenticate with your personal account? """) answer = console_io.PromptContinue(message=message) if not answer: return None account = args.account if account and not args.force: try: creds = c_store.Load(account=account, scopes=scopes) except c_store.Error: creds = None if creds: # Account already has valid creds, just switch to it. return self.LoginAs(account, creds, args.project, args.activate, args.brief) # No valid creds, do the web flow. launch_browser = check_browser.ShouldLaunchBrowser(args.launch_browser) creds = auth_util.DoInstalledAppBrowserFlow(launch_browser, scopes) web_flow_account = creds.id_token['email'] if account and account.lower() != web_flow_account.lower(): raise auth_exceptions.WrongAccountError( 'You attempted to log in as account [{account}] but the received ' 'credentials were for account [{web_flow_account}].\n\n' 'Please check that your browser is logged in as account [{account}] ' 'and that you are using the correct browser profile.'.format( account=account, web_flow_account=web_flow_account)) account = web_flow_account # We got new creds, and they are for the correct user. c_store.Store(creds, account, scopes) return self.LoginAs(account, creds, args.project, args.activate, args.brief)