def LoginAs(account, creds, project, activate, brief, update_adc,
add_quota_project_to_adc):
"""Logs in with valid credentials."""
_ValidateADCFlags(update_adc, add_quota_project_to_adc)
if update_adc:
_UpdateADC(creds, add_quota_project_to_adc)
if not activate:
return creds
properties.PersistProperty(properties.VALUES.core.account, account)
if project:
properties.PersistProperty(properties.VALUES.core.project, project)
if not brief:
if c_creds.IsExternalAccountCredentials(creds):
confirmation_msg = (
'Authenticated with external account credentials for: [{0}].'.
format(account))
elif c_creds.IsExternalAccountUserCredentials(creds):
confirmation_msg = (
'Authenticated with external account user credentials for: '
'[{0}].'.format(account))
elif c_creds.IsServiceAccountCredentials(creds):
confirmation_msg = (
'Authenticated with service account credentials for: [{0}].'.
format(account))
else:
confirmation_msg = 'You are now logged in as [{0}].'.format(
account)
log.status.write(
'\n{confirmation_msg}\n'
'Your current project is [{project}]. You can change this setting '
'by running:\n $ gcloud config set project PROJECT_ID\n'.format(
confirmation_msg=confirmation_msg,
project=properties.VALUES.core.project.Get()))
return creds
def ADCIsUserAccount():
"""Returns whether the ADC credentials correspond to a user account or not."""
cred_file = config.ADCFilePath()
creds, _ = c_creds.GetGoogleAuthDefault().load_credentials_from_file(
cred_file)
return (c_creds.IsUserAccountCredentials(creds) or
c_creds.IsExternalAccountUserCredentials(creds))
def GetExternalAccountId(creds):
"""Returns the account identifier corresponding to the external account creds.
Args:
creds (google.auth.credentials.Credentials): The credentials whose account
ID is to be returned.
Returns:
Optional(str): The corresponding account ID, or None if the credentials are
not external_account credentials.
"""
if (c_creds.IsExternalAccountCredentials(creds)
or c_creds.IsExternalAccountUserCredentials(creds)):
return (creds.service_account_email
or c_introspect.GetExternalAccountId(creds))
return None
def Run(self, args):
"""Revoke Application Default Credentials."""
cred_file = config.ADCFilePath()
if not os.path.isfile(cred_file):
log.status.Print(
'Application Default Credentials have not been set up, '
'nothing to revoke.')
return
creds, _ = c_creds.GetGoogleAuthDefault().load_credentials_from_file(
cred_file)
if not (c_creds.IsUserAccountCredentials(creds)
or c_creds.IsExternalAccountCredentials(creds)
or c_creds.IsExternalAccountUserCredentials(creds)):
raise c_exc.BadFileException(
'The given credential file is a service account credential, and '
'cannot be revoked.')
if isinstance(creds, google_auth_creds.Credentials):
creds = c_google_auth.Credentials.FromGoogleAuthUserCredentials(
creds)
console_io.PromptContinue(
'You are about to revoke the credentials stored in: [{file}]'.
format(file=cred_file),
throw_if_unattended=True,
cancel_on_no=True)
try:
c_store.RevokeCredentials(creds)
os.remove(cred_file)
log.status.Print('Credentials revoked.')
except c_store.RevokeError:
os.remove(cred_file)
log.warning(
'The credentials stored in: [{file}] are not revocable from the '
'server but have been deleted from the file system.'.format(
file=cred_file))
def Run(self, args):
"""Revoke credentials and update active account."""
accounts = args.accounts or []
if isinstance(accounts, str):
accounts = [accounts]
available_accounts = c_store.AvailableAccounts()
unknown_accounts = set(accounts) - set(available_accounts)
if unknown_accounts:
raise c_exc.UnknownArgumentException(
'accounts', ' '.join(unknown_accounts))
if args.all:
accounts = available_accounts
active_account = properties.VALUES.core.account.Get()
if not accounts and active_account:
accounts = [active_account]
if not accounts:
raise c_exc.InvalidArgumentException(
'accounts', 'No credentials available to revoke.')
for account in accounts:
if active_account == account:
properties.PersistProperty(properties.VALUES.core.account, None)
# External account and external account user credentials cannot be
# revoked.
# Detect these type of credentials to show a more user friendly message
# on revocation calls.
# Note that impersonated external account credentials will appear like
# service accounts. These will end with gserviceaccount.com and will be
# handled the same way service account credentials are handled.
try:
creds = c_store.Load(
account, prevent_refresh=True, use_google_auth=True)
except creds_exceptions.Error:
# Ignore all errors. These will be properly handled in the subsequent
# Revoke call.
creds = None
if not c_store.Revoke(account):
if account.endswith('.gserviceaccount.com'):
log.warning(
'[{}] appears to be a service account. Service account tokens '
'cannot be revoked, but they will expire automatically. To '
'prevent use of the service account token earlier than the '
'expiration, delete or disable the parent service account.'
.format(account))
elif c_creds.IsExternalAccountCredentials(creds):
log.warning(
'[{}] appears to be an external account. External account '
'tokens cannot be revoked, but they will expire automatically.'
.format(account))
elif c_creds.IsExternalAccountUserCredentials(creds):
log.warning(
'[{}] appears to be an external account user. External account '
'user tokens cannot be revoked, but they will expire '
'automatically.'.format(account))
else:
log.warning(
'[{}] already inactive (previously revoked?)'.format(account))
return accounts