def _GetToken(self):
try:
return store.GetFreshAccessToken(
account=self._account,
allow_account_impersonation=self._use_account_impersonation)
except Exception as e: # pylint: disable=broad-except
raise ClientException( # pylint: disable=raise-missing-from
'Error Configuring KCC Client: [{}]'.format(e))
def GetAuthToken(account=None):
"""Generate a JSON object containing the current gcloud auth token."""
try:
access_token = c_store.GetFreshAccessToken(account)
output = {
'AuthToken': access_token,
}
except Exception as e: # pylint: disable=broad-except
raise KubeRunAuthException(
'Error retrieving auth credentials for {account}: {error}. '.
format(account=account, error=e))
return json.dumps(output, sort_keys=True)
def GetAuthToken(account, operation, impersonated=False):
"""Generate a JSON object containing the current gcloud auth token."""
try:
access_token = c_store.GetFreshAccessToken(
account, allow_account_impersonation=impersonated)
output = {
'auth_token': access_token,
}
except Exception as e: # pylint: disable=broad-except
raise AnthosAuthException(
'Error retrieving auth credentials for {operation}: {error}. '.format(
operation=operation, error=e))
return json.dumps(output, sort_keys=True)
def UpdateDockerCredentials(server, refresh=True):
"""Updates the docker config to have fresh credentials.
This reads the current contents of Docker's keyring, and extends it with
a fresh entry for the provided 'server', based on the active gcloud
credential. If a credential exists for 'server' this replaces it.
Args:
server: The hostname of the registry for which we're freshening
the credential.
refresh: Whether to force a token refresh on the active credential.
Raises:
core.credentials.exceptions.Error: There was an error loading the
credentials.
"""
if refresh:
access_token = store.GetFreshAccessToken()
else:
access_token = store.GetAccessToken()
if not access_token:
raise exceptions.Error(
'No access token could be obtained from the current credentials.')
if _CredentialStoreConfigured():
try:
# Update the credentials stored by docker, passing the sentinel username
# and access token.
DockerLogin(server, _USERNAME, access_token)
except client_lib.DockerError as e:
# Only catch docker-not-found error
if six.text_type(e) != client_lib.DOCKER_NOT_FOUND_ERROR:
raise
# Fall back to the previous manual .dockercfg manipulation
# in order to support gcloud app's docker-binaryless use case.
_UpdateDockerConfig(server, _USERNAME, access_token)
log.warning(
"'docker' was not discovered on the path. Credentials have been "
'stored, but are not guaranteed to work with the Docker client '
' if an external credential store is configured.')
else:
_UpdateDockerConfig(server, _USERNAME, access_token)
def MakeSecureChannel(target):
"""Creates grpc secure channel.
Args:
target: str, The server address, for example:
bigtableadmin.googleapis.com:443.
Returns:
grpc.secure channel.
"""
access_token = cred_store.GetFreshAccessToken()
# ssl_channel_credentials() loads root certificates from
# `grpc/_adapter/credentials/roots.pem`.
transport_creds = grpc.ssl_channel_credentials()
custom_metadata_plugin = _MetadataPlugin(access_token)
auth_creds = grpc.metadata_call_credentials(custom_metadata_plugin,
name='google_creds')
channel_creds = grpc.composite_channel_credentials(transport_creds,
auth_creds)
command_name = properties.VALUES.metrics.command_name.Get()
channel_args = (('grpc.primary_user_agent',
transport.MakeUserAgentString(command_name)), )
return grpc.secure_channel(target, channel_creds, options=channel_args)