@@ -70,6 +70,59 @@ def explicit_compute_engine(project):
70
70
# [END auth_cloud_explicit_compute_engine]
71
71
72
72
73
+ # [START auth_cloud_accesstoken_impersonated_credentials]
74
+ def accesstoken_from_impersonated_credentials (
75
+ impersonated_service_account : str , scope : str
76
+ ):
77
+ from google .auth import impersonated_credentials
78
+ import google .auth .transport .requests
79
+
80
+ """
81
+ Use a service account (SA1) to impersonate another service account (SA2)
82
+ and obtain an ID token for the impersonated account.
83
+ To obtain a token for SA2, SA1 should have the
84
+ "roles/iam.serviceAccountTokenCreator" permission on SA2.
85
+
86
+ Args:
87
+ impersonated_service_account: The name of the privilege-bearing service account for whom the credential is created.
88
+ Examples: name@project.service.gserviceaccount.com
89
+
90
+ scope: Provide the scopes that you might need to request to access Google APIs,
91
+ depending on the level of access you need.
92
+ For this example, we use the cloud-wide scope and use IAM to narrow the permissions.
93
+ https://cloud.google.com/docs/authentication#authorization_for_services
94
+ For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
95
+ """
96
+
97
+ # Construct the GoogleCredentials object which obtains the default configuration from your
98
+ # working environment.
99
+ credentials , project_id = google .auth .default ()
100
+
101
+ # Create the impersonated credential.
102
+ target_credentials = impersonated_credentials .Credentials (
103
+ source_credentials = credentials ,
104
+ target_principal = impersonated_service_account ,
105
+ # delegates: The chained list of delegates required to grant the final accessToken.
106
+ # For more information, see:
107
+ # https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-permissions
108
+ # Delegate is NOT USED here.
109
+ delegates = [],
110
+ target_scopes = [scope ],
111
+ lifetime = 300 ,
112
+ )
113
+
114
+ # Get the OAuth2 token.
115
+ # Once you've obtained the OAuth2 token, use it to make an authenticated call
116
+ # to the target audience.
117
+ request = google .auth .transport .requests .Request ()
118
+ target_credentials .refresh (request )
119
+ # The token field is target_credentials.token.
120
+ print ("Generated OAuth2 token." )
121
+
122
+
123
+ # [END auth_cloud_accesstoken_impersonated_credentials]
124
+
125
+
73
126
if __name__ == "__main__" :
74
127
parser = argparse .ArgumentParser (
75
128
description = __doc__ , formatter_class = argparse .RawDescriptionHelpFormatter
@@ -82,6 +135,12 @@ def explicit_compute_engine(project):
82
135
"explicit_compute_engine" , help = explicit_compute_engine .__doc__
83
136
)
84
137
explicit_gce_parser .add_argument ("project" )
138
+ accesstoken_parser = subparsers .add_parser (
139
+ "accesstoken_from_impersonated_credentials" ,
140
+ help = accesstoken_from_impersonated_credentials .__doc__ ,
141
+ )
142
+ accesstoken_parser .add_argument ("impersonated_service_account" )
143
+ accesstoken_parser .add_argument ("scope" )
85
144
86
145
args = parser .parse_args ()
87
146
@@ -91,3 +150,7 @@ def explicit_compute_engine(project):
91
150
explicit ()
92
151
elif args .command == "explicit_compute_engine" :
93
152
explicit_compute_engine (args .project )
153
+ elif args .command == "accesstoken_from_impersonated_credentials" :
154
+ accesstoken_from_impersonated_credentials (
155
+ args .impersonated_service_account , args .scope
156
+ )
0 commit comments