8000 feat: add sample and test for getting an access token from an imperso… · apilaskowski/python-docs-samples@9a020ee · GitHub
[go: up one dir, main page]

Skip to content

Commit 9a020ee

Browse files
authored
feat: add sample and test for getting an access token from an imperso… (GoogleCloudPlatform#10759)
* feat: add sample and test for getting an access token from an impersonated SA * add service account to test * trigger build
1 parent e67d5b4 commit 9a020ee

File tree

2 files changed

+73
-0
lines changed

2 files changed

+73
-0
lines changed

auth/cloud-client/snippets.py

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,59 @@ def explicit_compute_engine(project):
7070
# [END auth_cloud_explicit_compute_engine]
7171

7272

73+
# [START auth_cloud_accesstoken_impersonated_credentials]
74+
def accesstoken_from_impersonated_credentials(
75+
impersonated_service_account: str, scope: str
76+
):
77+
from google.auth import impersonated_credentials
78+
import google.auth.transport.requests
79+
80+
"""
81+
Use a service account (SA1) to impersonate another service account (SA2)
82+
and obtain an ID token for the impersonated account.
83+
To obtain a token for SA2, SA1 should have the
84+
"roles/iam.serviceAccountTokenCreator" permission on SA2.
85+
86+
Args:
87+
impersonated_service_account: The name of the privilege-bearing service account for whom the credential is created.
88+
Examples: name@project.service.gserviceaccount.com
89+
90+
scope: Provide the scopes that you might need to request to access Google APIs,
91+
depending on the level of access you need.
92+
For this example, we use the cloud-wide scope and use IAM to narrow the permissions.
93+
https://cloud.google.com/docs/authentication#authorization_for_services
94+
For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
95+
"""
96+
97+
# Construct the GoogleCredentials object which obtains the default configuration from your
98+
# working environment.
99+
credentials, project_id = google.auth.default()
100+
101+
# Create the impersonated credential.
102+
target_credentials = impersonated_credentials.Credentials(
103+
source_credentials=credentials,
104+
target_principal=impersonated_service_account,
105+
# delegates: The chained list of delegates required to grant the final accessToken.
106+
# For more information, see:
107+
# https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-permissions
108+
# Delegate is NOT USED here.
109+
delegates=[],
110+
target_scopes=[scope],
111+
lifetime=300,
112+
)
113+
114+
# Get the OAuth2 token.
115+
# Once you've obtained the OAuth2 token, use it to make an authenticated call
116+
# to the target audience.
117+
request = google.auth.transport.requests.Request()
118+
target_credentials.refresh(request)
119+
# The token field is target_credentials.token.
120+
print("Generated OAuth2 token.")
121+
122+
123+
# [END auth_cloud_accesstoken_impersonated_credentials]
124+
125+
73126
if __name__ == "__main__":
74127
parser = argparse.ArgumentParser(
75128
description=__doc__, formatter_class=argparse.RawDescriptionHelpFormatter
@@ -82,6 +135,12 @@ def explicit_compute_engine(project):
82135
"explicit_compute_engine", help=explicit_compute_engine.__doc__
83136
)
84137
explicit_gce_parser.add_argument("project")
138+
accesstoken_parser = subparsers.add_parser(
139+
"accesstoken_from_impersonated_credentials",
140+
help=accesstoken_from_impersonated_credentials.__doc__,
141+
)
142+
accesstoken_parser.add_argument("impersonated_service_account")
143+
accesstoken_parser.add_argument("scope")
85144

86145
args = parser.parse_args()
87146

@@ -91,3 +150,7 @@ def explicit_compute_engine(project):
91150
explicit()
92151
elif args.command == "explicit_compute_engine":
93152
explicit_compute_engine(args.project)
153+
elif args.command == "accesstoken_from_impersonated_credentials":
154+
accesstoken_from_impersonated_credentials(
155+
args.impersonated_service_account, args.scope
156+
)

auth/cloud-client/snippets_test.py

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,3 +42,13 @@ def test_explicit_compute_engine():
4242

4343
with credentials_patch:
4444
snippets.explicit_compute_engine(project)
45+
46+
47+
def test_accesstoken_from_impersonated_credentials():
48+
impersonated_service_account = (
49+
"auth-samples-testing@python-docs-samples-tests.iam.gserviceaccount.com"
50+
)
51+
scope = "https://www.googleapis.com/auth/cloud-platform"
52+
snippets.accesstoken_from_impersonated_credentials(
53+
impersonated_service_account, scope
54+
)

0 commit comments

Comments
 (0)
0