(pha^SrSSKrSSKrSSKJr SSKJr SSKrSSKJ r SSKJ r SSKJ r SSKJ r SSKJ r SS KJr SS KJr SS KJr S rS rSrSrSrSr\ R0S4Sjr"SS\ R4\ R6\ R85r"SS\ R65r/4Sjrg)aGoogle Cloud Impersonated credentials. This module provides authentication for applications where local credentials impersonates a remote service account using `IAM Credentials API`_. This class can be used to impersonate a service account as long as the original Credential object has the "Service Account Token Creator" role on the target service account. .. _IAM Credentials API: https://cloud.google.com/iam/credentials/reference/rest/ N)datetime)_exponential_backoff)_helpers credentials) exceptions)iam)jwt)metrics)_clientz*Unable to acquire impersonated credentialsiz#https://oauth2.googleapis.com/tokenauthorized_userservice_account external_account_authorized_usercU=(d= [RR[RU5R U5n[ R"U5RS5nU"USX#S9n[URS5(aURRS5O URnUR[R:wa[R "["U5e[ R$"U5n U Sn [&R("U SS5n X4$![*[,4a1n [R "SR ["5U5n XeS n A ff=f) aMakes a request to the Google Cloud IAM service for an access token. Args: request (Request): The Request object to use. principal (str): The principal to request an access token for. headers (Mapping[str, str]): Map of headers to transmit. body (Mapping[str, str]): JSON Payload body for the iamcredentials API call. iam_endpoint_override (Optiona[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. Raises: google.auth.exceptions.TransportError: Raised if there is an underlying HTTP connection error google.auth.exceptions.RefreshError: Raised if the impersonated credentials are not available. Common reasons are `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned utf-8POSTurlmethodheadersbodydecode accessToken expireTimez%Y-%m-%dT%H:%M:%SZz6{}: No access token or invalid expiration in response.N)r _IAM_ENDPOINTreplacerDEFAULT_UNIVERSE_DOMAINformatjsondumpsencodehasattrdatarstatus http_clientOKr RefreshError_REFRESH_ERRORloadsrstrptimeKeyError ValueError)request principalrruniverse_domainiam_endpoint_override iam_endpointresponse response_bodytoken_responsetokenexpiry caught_excnew_excs W/var/www/html/venv/lib/python3.13/site-packages/google/auth/impersonated_credentials.py_make_iam_token_requestr:9s:6)C,=,=,E,E++_- fY ::d  " "7 +D<SH 8==( + +  W% ]] +..(%%nmDD&M2}-"">,#?AUV} j !&)) D K K     %&s07D((E)8,E$$E)c^\rSrSrSrSS\SS4U4SjjrSr\R"\ R5S5r Sr Sr\S 5r\S 5r\S 5r\S 5r\R"\ R5S 5rSr\R"\ R,5S5r\R"\ R05SSj5r\SSj5rSrU=r$) Credentialswa&This module defines impersonated credentials which are essentially impersonated identities. Impersonated Credentials allows credentials issued to a user or service account to impersonate another. The target service account must grant the originating credential principal the `Service Account Token Creator`_ IAM role: For more information about Token Creator IAM role and IAMCredentials API, see `Creating Short-Lived Service Account Credentials`_. .. _Service Account Token Creator: https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role .. _Creating Short-Lived Service Account Credentials: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials Usage: First grant source_credentials the `Service Account Token Creator` role on the target account to impersonate. In this example, the service account represented by svc_account.json has the token creator role on `impersonated-account@_project_.iam.gserviceaccount.com`. Enable the IAMCredentials API on the source project: `gcloud services enable iamcredentials.googleapis.com`. Initialize a source credential which does not have access to list bucket:: from google.oauth2 import service_account target_scopes = [ 'https://www.googleapis.com/auth/devstorage.read_only'] source_credentials = ( service_account.Credentials.from_service_account_file( '/path/to/svc_account.json', scopes=target_scopes)) Now use the source credentials to acquire credentials to impersonate another service account:: from google.auth import impersonated_credentials target_credentials = impersonated_credentials.Credentials( source_credentials=source_credentials, target_principal='impersonated-account@_project_.iam.gserviceaccount.com', target_scopes = target_scopes, lifetime=500) Resource access is granted:: client = storage.Client(credentials=target_credentials) buckets = client.list_buckets(project='your_project') for bucket in buckets: print(bucket.name) Nc >[[U] 5 [R"U5Ul[ UR[ R5(aURR[R5Ul[URS5(a6URR(aURRS5 URUlX lX0lX@lXPlU=(d [(UlSUl[.R0"5UlXplXlSUlg)a< Args: source_credentials (google.auth.Credentials): The source credential used as to acquire the impersonated credentials. target_principal (str): The service account to impersonate. target_scopes (Sequence[str]): Scopes to request during the authorization grant. delegates (Sequence[str]): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. lifetime (int): Number of seconds the delegated credential should be valid for (upto 3600). quota_project_id (Optional[str]): The project ID used for quota and billing. This project may be different from the project used to create the credentials. iam_endpoint_override (Optional[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. subject (Optional[str]): sub field of a JWT. This field should only be set if you wish to impersonate as a user. This feature is useful when using domain wide delegation. _create_self_signed_jwtN)superr<__init__copy_source_credentials isinstancerScoped with_scopesr _IAM_SCOPEr"_always_use_jwt_accessr?r/_universe_domain_target_principal_target_scopes _delegates_subject_DEFAULT_TOKEN_LIFETIME_SECS _lifetimer5rutcnowr6_quota_project_id_iam_endpoint_override_cred_file_path) selfsource_credentialstarget_principal target_scopes delegatessubjectlifetimequota_project_idr0 __class__s r9rACredentials.__init__sT k4)+#'99-?#@  d.. 0B0B C C'+'?'?'K'K(D $ 002KLL,,CC((@@F 2 B B!1+# !A%A oo' !1&;##c"[R$N)r CRED_TYPE_SA_IMPERSONATErTs r9_metric_header_for_usage$Credentials._metric_header_for_usages///r^c&URU5 gr`) _update_token)rTr-s r9refreshCredentials.refreshs 7#r^c URR[RR:Xd2URR[RR :XaURR U5 URUR[UR5S-S.nSS[R[R"50nURRU5 UR(Ga UR [R":wa[$R&"S5e[(R*"5nUR,[(R."UR=(d S5UR[0[(R2"U5[(R2"U5[4-S.n[7UUR,UUURS9n[8R:"U[0U5uUlUlng [AUUR,UUUR URBS 9uUlUlg ) zUpdates credentials with a new access_token representing the impersonated account. Args: request (google.auth.transport.requests.Request): Request object to use for refreshing credentials. s)rXscoperZ Content-Typeapplication/jsonzNDomain-wide delegation is not supported in universes other than googleapis.com)issrksubaudiatexp)r-r.rpayloadrXN)r-r.rrr/r0)"rC token_stater TokenStateSTALEINVALIDrgrLrKstrrOr API_CLIENT_HEADER&token_request_access_token_impersonateapplyrMr/rrGoogleAuthErrorrrPrJscopes_to_string_GOOGLE_OAUTH2_TOKEN_ENDPOINTdatetime_to_secsrN_sign_jwt_requestr jwt_grantr5r6r:rR)rTr-rrnowrt assertion_s r9rfCredentials._update_tokens  $ $ 0 0K4J4J4P4P P''33{7M7M7U7UU  $ $ , ,W 5((DNN+c1  .  % %w'U'U'W    &&w/ ===##{'J'JJ 00, //#C--!2243F3F3L"M}}40050058TT G*00// I*1):):6 * &DJ Q "9,, 00"&"="= #  DKr^cdSSKJn [RR [ R UR5RUR5n[R"U5RS5URS.nSS0nU"UR5n[R "5nUHnUR#X5US9n U R$[R&;aM3U R$[(R*:wa3[,R."SRU R1555e[R2"U R15S 5s UR55 $ UR55 [,R."S 5e!UR55 f=f) NrAuthorizedSessionr)rtrXrlrm)rrrzError calling sign_bytes: {} signedBlobz#exhausted signBlob endpoint retries)google.auth.transport.requestsrr _IAM_SIGN_ENDPOINTrrrr/rrJbase64 b64encoderrLrCrExponentialBackoffpost status_codeIAM_RETRY_CODESr%r&rTransportErrorr b64decodeclose) rTmessageriam_sign_endpointrrauthed_sessionretriesrr2s r9 sign_bytesCredentials.sign_bytesNshD22::  / /1E1E &'' (  ''077@  "#56*4+C+CD #*==?G)..)/''3+>+>>'';>>9$336==hmmoN''  (EFF  "  "''(MNN  "s!CF5FF/cUR$r`rJrbs r9 signer_emailCredentials.signer_emailp%%%r^cUR$r`rrbs r9service_account_email!Credentials.service_account_emailtrr^cU$r`rnrbs r9signerCredentials.signerxs r^c$UR(+$r`)rKrbs r9requires_scopesCredentials.requires_scopes|s&&&&r^cZUR(aURSURS.$g)Nzimpersonated credentials)credential_sourcecredential_typer.)rSrJrbs r9 get_cred_infoCredentials.get_cred_infos/   %)%9%9#=!33  r^c URURURURURUR UR URS9nURUlU$)N)rVrWrXrZr[r0) r\rCrJrKrLrOrQrRrS)rTcreds r9 _make_copyCredentials._make_copyse~~  $ $!33--oo^^!33"&"="=  $33 r^c2UR5nXlU$r`)rrQ)rTr[rs r9with_quota_projectCredentials.with_quota_projects !1 r^cFUR5nU=(d UUlU$r`)rrK)rTscopesdefault_scopesrs r9rFCredentials.with_scopess  $6 r^cURS5nURS5nU[:Xa"SSKJn URR U5nO}U[ :Xa"SSKJn URRU5nOQU[:Xa"SSK J n URRU5nO%[R"SRU55eURS5n U R!S 5n U R#S 5n U S :Xd U S :XdX:a%[R$"S RU 55eXS -U n URS5n URS5nU"UU UU US9$)aCreates a Credentials instance from parsed impersonated service account credentials info. Args: info (Mapping[str, str]): The impersonated service account credentials info in Google format. scopes (Sequence[str]): Optional list of scopes to include in the credentials. Returns: google.oauth2.credentials.Credentials: The constructed credentials. Raises: InvalidType: If the info["source_credentials"] are not a supported impersonation type InvalidValue: If the info["service_account_impersonation_url"] is not in the expected format. ValueError: If the info is not in the expected format. rUtyperr)r)rz.source credential of type {} is not supported.!service_account_impersonation_url/z:generateAccessTokenz'Cannot extract target principal from {}rXr[)r[)get'_SOURCE_CREDENTIAL_AUTHORIZED_USER_TYPE google.oauth2rr<from_authorized_user_info'_SOURCE_CREDENTIAL_SERVICE_ACCOUNT_TYPErfrom_service_account_info8_SOURCE_CREDENTIAL_EXTERNAL_ACCOUNT_AUTHORIZED_USER_TYPE google.authr from_infor InvalidTyperrfindfind InvalidValue)clsinforsource_credentials_infosource_credentials_typerrUrrimpersonation_url start_index end_indexrVrXr[s r9&from_impersonated_service_account_info2Credentials.from_impersonated_service_account_infosz(#'((+?"@"9"="=f"E "&M M 1!,!8!8!R!R'" %(O O 5!0![[U] 5 [U[5(d[ R "S5eXlX lX0l X@l g)aI Args: target_credentials (google.auth.Credentials): The target credential used as to acquire the id tokens for. target_audience (string): Audience to issue the token for. include_email (bool): Include email in IdToken quota_project_id (Optional[str]): The project ID used for quota and billing. z4Provided Credential must be impersonated_credentialsN) r@rrArDr<rr}_target_credentials_target_audience_include_emailrQ)rTtarget_credentialstarget_audience include_emailr[r\s r9rAIDTokenCredentials.__init__sQ  $02,k::,,I $6 /+!1r^cNURUUURURS9$N)rrrr[)r\rrQ)rTrrs r9from_credentials#IDTokenCredentials.from_credentials s0~~1+--!33   r^cbURURUURURS9$r)r\rrrQ)rTrs r9with_target_audience'IDTokenCredentials.with_target_audiences6~~#77+--!33   r^cbURURURUURS9$r)r\rrrQ)rTrs r9with_include_email%IDTokenCredentials.with_include_emails6~~#77 11'!33   r^cbURURURURUS9$r)r\rrr)rTr[s r9r%IDTokenCredentials.with_quota_project!s6~~#77 11---   r^cSSKJn [RR [ R URR5RURR5nURURRURS.nSS[R[R "50nU"URR"US9nUR%UU[&R("U5R+S5S9nUR-5 UR.[0R2:wa3[4R6"S RUR'555eUR'5S nXl[:R<"[>R@"US S 9S 5Ul!g!UR-5 f=f)Nrr)audiencerX includeEmailrlrm) auth_requestr)rrr#zError getting ID token: {}r5F)verifyrs)"rrr _IAM_IDTOKEN_ENDPOINTrrrrr/rrrrLrr rz"token_request_id_token_impersonaterCrrr r!rrr%r&rr'r5rutcfromtimestampr rr6) rTr-rrrrrr2id_tokens r9rgIDTokenCredentials.refresh*sD55==  / /  $ $ 4 4  &))66 7  --11<< //  .  % %w'Q'Q'S  +  $ $ 8 8w  #%**%ZZ%,,W5+H  "   ;>> 1)),33HMMOD ==?7+ // JJx .u 5    "s 4F==G)rrQrrr6r5)NFNr`)rrrrrrArrrrrrrrr<rgrrrs@r9rrsr 26   [DDE F [445) 6) r^rc[RRU5nU[R"U5S.n[R"U5R S5nU"USX&S9n[ URS5(aURRS5O URnUR[R:wa[R"[U5e[R"U5n U Sn U $![ ["4a1n [R"SR[5U5n XeSn A ff=f) aMakes a request to the Google Cloud IAM service to sign a JWT using a service account's system-managed private key. Args: request (Request): The Request object to use. principal (str): The principal to request an access token for. headers (Mapping[str, str]): Map of headers to transmit. payload (Mapping[str, str]): The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. delegates (Sequence[str]): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. Raises: google.auth.exceptions.TransportError: Raised if there is an underlying HTTP connection error google.auth.exceptions.RefreshError: Raised if the impersonated credentials are not available. Common reasons are `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned )rXrtrrrr signedJwtz{}: No signed JWT in response.N)r _IAM_SIGNJWT_ENDPOINTrrr r!r"r#rr$r%r&rr'r(r)r+r,) r-r.rrtrXr1rr2r3 jwt_response signed_jwtr7r8s r9rrWs :,,33I>L"tzz'/B CD ::d  " "7 +D<SH 8==( + +  W% ]] +..(%%nmDD &zz-0 !+.  j !&)) , 3 3N C] % &s"C??E,D;;E) rrrBr http.clientclientr%rrrrrrr r r rr r(rNrrrrrr:rErSigningr<rrrnr^r9r s  ! , #"!># E*;'*;'&9 77 ;&|o  ??ATATo d k @@k \GI7&r^