问题
I'm updating a script to call OAuth2-protected Google Cloud endpoints. The previous version assumed a single user previously authenticated by gcloud auth login and thus was able to use the default:
credentials = GoogleCredentials.get_application_default()
http = credentials.authorize(http)
However now I must do some calls as user A and some as user B. I can perform these steps in the shell to generate access tokens, but I would prefer to do it in the program directly:
gcloud auth login user_A@email.com
gcloud auth print-access-token user_A@email.com
Is there a way to generate two Credentials values for two different emails without having to run any shell commands?
回答1:
My case is a bit different but hopefully, you can find the equivalent for your use case. I'm using service accounts for authentication.
You need 3 things for successful authentication
Service account file. This is the JSON file you get after creating a service account
SCOPES. This specifies which Google API you need to access. In my case I needed to access the Google Groups API. Hence the scope I needed was: "https://www.googleapis.com/auth/admin.directory.group"
you can find the list of all scopes here: https://developers.google.com/identity/protocols/googlescopes
- Email address of the required user. This is the email address of the user your service account wants to impersonate (user_A@email.com). In my case I needed the G suite admin's email, as they only have access to Google Groups.
Following is the equivalent Python code:
from google.oauth2 import service_account
from googleapiclient.discovery import build
SCOPES = ["https://www.googleapis.com/auth/admin.directory.group"]
SERVICE_ACCOUNT_FILE = "my-service-account.json"
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE,
scopes=SCOPES,
subject="admin@example.com")
admin_service = build("admin", "directory_v1", credentials=credentials)
group = admin_service.groups().list(domain="example.com").execute()
print("groups list: ", group)
Now according to your question if you want to impersonate some other user. Then you can use
new_user_email = "user2@example.com"
user2_credentials = credentials.with_subject(new_user_email)
new_service = build("admin", "directory_v1", credentials=user2_credentials)
# use this new_service to call required APIs
Here is the link to the docs for authentication using service accounts for python library: https://google-auth.readthedocs.io/en/latest/reference/google.oauth2.service_account.html
Here is the link of how the Oauth flow happens in general for service accounts: https://github.com/googleapis/google-api-python-client/blob/master/docs/oauth-server.md
I hope this was of some help to you.
PS - This is my first answer on Stack Overflow, so please do tell me how I could've improved my answer.
回答2:
You probably want to use
gcloud auth application-default login
gcloud auth application-default print-access-token
instead of gcloud auth login.
But if you are using gcloud credentials (not application default) then note that
gcloud auth login
is an interactive command. You choose user to login as in the browser not on the command line.
You can pre-login before hand and then use credentials you desire. For example:
gcloud auth login --account user_A@email.com
gcloud auth login --account user_B@email.com
this adds credentials to the credential store (Note that here --account is used just for validation making sure webflow chosen account is same as requested here). You can see all available credentials by running
gcloud auth list
Then you can use specific account on demand
gcloud auth print-access-token --account user_A@email.com
gcloud auth print-access-token --account user_B@email.com
Note that print-access-token is undocumented command and you should only use it for debugging.
Somewhat more advanced feature is to use configurations
gcloud config configurations list
You can create new ones by
gcloud config configurations create A
gcloud config set account user_A@email.com
gcloud config set project project_A
gcloud config configurations create B
gcloud config set account user_B@email.com
gcloud config set project project_B
then you can do
gcloud auth print-access-token --configuration A
gcloud auth print-access-token --configuration B
the added advantage that not only you can configure account but other attributes like project, compute zone, etc ...
回答3:
As far as I understand you want to make requests to OAuth2.0 protected resources and specify a "caller" account inside your python code.
Here is a nice function I personally use (it has more than what you need as it works differently based on from where it's being called). You simply need to give it the client ID of the account you want to be used for the call.
def make_iap_request(url, client_id, method='GET', **kwargs):
"""Makes a request to an application protected by Identity-Aware Proxy.
Args:
url: The Identity-Aware Proxy-protected URL to fetch.
client_id: The client ID used by Identity-Aware Proxy.
method: The request method to use
('GET', 'OPTIONS', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE')
**kwargs: Any of the parameters defined for the request function:
https://github.com/requests/requests/blob/master/requests/api.py
If no timeout is provided, it is set to 90 by default.
Returns:
The page body, or raises an exception if the page couldn't be retrieved.
"""
# Set the default timeout, if missing
if 'timeout' not in kwargs:
kwargs['timeout'] = 120
# Figure out what environment we're running in and get some preliminary
# information about the service account.
bootstrap_credentials, _ = google.auth.default(
scopes=[IAM_SCOPE])
if isinstance(bootstrap_credentials,
google.oauth2.credentials.Credentials):
raise Exception('make_iap_request is only supported for service '
'accounts.')
elif isinstance(bootstrap_credentials,
google.auth.app_engine.Credentials):
requests_toolbelt.adapters.appengine.monkeypatch()
# For service account's using the Compute Engine metadata service,
# service_account_email isn't available until refresh is called.
bootstrap_credentials.refresh(Request())
signer_email = bootstrap_credentials.service_account_email
if isinstance(bootstrap_credentials,
google.auth.compute_engine.credentials.Credentials):
# Since the Compute Engine metadata service doesn't expose the service
# account key, we use the IAM signBlob API to sign instead.
# In order for this to work:
#
# 1. Your VM needs the https://www.googleapis.com/auth/iam scope.
# You can specify this specific scope when creating a VM
# through the API or gcloud. When using Cloud Console,
# you'll need to specify the "full access to all Cloud APIs"
# scope. A VM's scopes can only be specified at creation time.
#
# 2. The VM's default service account needs the "Service Account Actor"
# role. This can be found under the "Project" category in Cloud
# Console, or roles/iam.serviceAccountActor in gcloud.
signer = google.auth.iam.Signer(
Request(), bootstrap_credentials, signer_email)
else:
# A Signer object can sign a JWT using the service account's key.
signer = bootstrap_credentials.signer
# Construct OAuth 2.0 service account credentials using the signer
# and email acquired from the bootstrap credentials.
service_account_credentials = google.oauth2.service_account.Credentials(
signer, signer_email, token_uri=OAUTH_TOKEN_URI, additional_claims={
'target_audience': client_id
})
# service_account_credentials gives us a JWT signed by the service
# account. Next, we use that to obtain an OpenID Connect token,
# which is a JWT signed by Google.
google_open_id_connect_token = get_google_open_id_connect_token(
service_account_credentials)
# Fetch the Identity-Aware Proxy-protected URL, including an
# Authorization header containing "Bearer " followed by a
# Google-issued OpenID Connect token for the service account.
resp = requests.request(
method, url,
headers={'Authorization': 'Bearer {}'.format(
google_open_id_connect_token)}, **kwargs)
#time.sleep(50)
if resp.status_code == 403:
raise Exception('Service account {} does not have permission to '
'access the IAP-protected application.'.format(
signer_email))
elif resp.status_code != 200:
raise Exception(
'Bad response from application: {!r} / {!r} / {!r}'.format(
resp.status_code, resp.headers, resp.text))
elif rest.status_code == 500:
time.sleep(90)
return 'DONE'
else:
return resp.text
def get_google_open_id_connect_token(service_account_credentials):
"""Get an OpenID Connect token issued by Google for the service account.
This function:
1. Generates a JWT signed with the service account's private key
containing a special "target_audience" claim.
2. Sends it to the OAUTH_TOKEN_URI endpoint. Because the JWT in #1
has a target_audience claim, that endpoint will respond with
an OpenID Connect token for the service account -- in other words,
a JWT signed by *Google*. The aud claim in this JWT will be
set to the value from the target_audience claim in #1.
For more information, see
https://developers.google.com/identity/protocols/OAuth2ServiceAccount .
The HTTP/REST example on that page describes the JWT structure and
demonstrates how to call the token endpoint. (The example on that page
shows how to get an OAuth2 access token; this code is using a
modified version of it to get an OpenID Connect token.)
"""
service_account_jwt = (
service_account_credentials._make_authorization_grant_assertion())
request = google.auth.transport.requests.Request()
body = {
'assertion': service_account_jwt,
'grant_type': google.oauth2._client._JWT_GRANT_TYPE,
}
token_response = google.oauth2._client._token_endpoint_request(
request, OAUTH_TOKEN_URI, body)
return token_response['id_token']
You can read more on other ways here.
来源:https://stackoverflow.com/questions/43218916/python-how-can-i-create-a-googlecredentials-using-a-specific-user-instead-of-ge