Created
April 25, 2022 11:26
-
-
Save salrashid123/9c82425dd6b08a8dc8199eae6bdac194 to your computer and use it in GitHub Desktop.
GCP impersonated and iam credentials to signJWT, generateIDToken (ref https://blog.salrashid.dev/articles/2022/appengine_jwt/)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import json | |
| import time | |
| from google.auth import impersonated_credentials | |
| from google.auth.transport.requests import AuthorizedSession, Request | |
| import google.oauth2.credentials | |
| from google.cloud import iam_credentials_v1 | |
| # export GCLOUD_USER=`gcloud config get-value core/account` | |
| # gcloud iam service-accounts add-iam-policy-binding \ | |
| # [email protected] \ | |
| # --member=user:$GCLOUD_USER \ | |
| # --role=roles/iam.serviceAccountTokenCreator | |
| source_credentials, project_id = google.auth.default() | |
| target_service_account = '[email protected]' | |
| target_scopes = ['https://www.googleapis.com/auth/cloud-platform'] | |
| target_credentials = impersonated_credentials.Credentials( | |
| source_credentials = source_credentials, | |
| target_principal=target_service_account, | |
| target_scopes = target_scopes, | |
| delegates=[], | |
| lifetime=5) | |
| # A) use the impersonated target_credential to generate an id_token | |
| target_audience="https://your_audience" | |
| request = Request() | |
| id_creds = impersonated_credentials.IDTokenCredentials(target_credentials=target_credentials,target_audience=target_audience, include_email=True) | |
| # id_creds.refresh(request) | |
| # print(id_creds.token) | |
| session = AuthorizedSession(id_creds) | |
| request_url = "https://httpbin.org/get" | |
| response = session.get(request_url, headers = {'Accept': 'application/json'}) | |
| print(response.json()) | |
| # ================== | |
| # B) use the **source_credentials* with the iam client to generate an id_token for target_service_account | |
| client = iam_credentials_v1.services.iam_credentials.IAMCredentialsClient(credentials=source_credentials) | |
| name = "projects/-/serviceAccounts/{}".format(target_service_account) | |
| id_token_response = client.generate_id_token(name=name,audience=target_audience) | |
| id_credentials = google.oauth2.credentials.Credentials(id_token_response.token) | |
| session = AuthorizedSession(id_credentials) | |
| request_url = "https://httpbin.org/get" | |
| response = session.get(request_url, headers = {'Accept': 'application/json'}) | |
| print(response.json()) | |
| # ================== | |
| # C) use the **source_credentials* with the iam client to generate a JWT signed by target_service_account | |
| client = iam_credentials_v1.services.iam_credentials.IAMCredentialsClient(credentials=source_credentials) | |
| name = "projects/-/serviceAccounts/{}".format(target_service_account) | |
| now = int(time.time()) | |
| exptime = now + 5 | |
| payload = { | |
| "iss": target_service_account, | |
| "email": target_service_account, | |
| "aud": target_audience, | |
| "sub": target_service_account, | |
| "exp": exptime, | |
| "iat": now | |
| } | |
| jwt_token = client.sign_jwt(name=name,payload=json.dumps(payload)) | |
| jwt_credentials = google.oauth2.credentials.Credentials(jwt_token.signed_jwt) | |
| session = AuthorizedSession(jwt_credentials) | |
| request_url = "https://httpbin.org/get" | |
| response = session.get(request_url, headers = {'Accept': 'application/json'}) | |
| print(response.json()) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment