Last active
April 24, 2022 03:34
-
-
Save salrashid123/ebb02ca67a39785b58504563282e6dc7 to your computer and use it in GitHub Desktop.
Generate Service Account JWT from Appengine (for cloud endpoints https://blog.salrashid.dev/articles/2022/appengine_jwt/)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from flask import Flask | |
| import os | |
| import json | |
| import time | |
| from google.auth import compute_engine | |
| from werkzeug.exceptions import HTTPException | |
| from google.auth.transport.requests import AuthorizedSession, Request | |
| import google.oauth2.credentials | |
| from google.cloud import iam_credentials_v1 | |
| app = Flask(__name__) | |
| @app.route('/') | |
| def hello(): | |
| source_credentials, project_id = google.auth.default() | |
| # source_credentials = compute_engine.Credentials() | |
| # project_id = os.environ['GOOGLE_CLOUD_PROJECT'] | |
| target_credentials = '{}@appspot.gserviceaccount.com'.format(project_id) | |
| # This is default service account | |
| authed_session = AuthorizedSession(source_credentials) | |
| response = authed_session.request('GET', 'https://www.googleapis.com/userinfo/v2/me') | |
| print(response.json()) | |
| # get id_token | |
| # you don't need to enable impersonation for this.. | |
| target_audience="https://your_audience" | |
| request = google.auth.transport.requests.Request() | |
| id_creds = compute_engine.IDTokenCredentials(request=request, target_audience=target_audience, use_metadata_identity_endpoint=True) | |
| session = google.auth.transport.requests.AuthorizedSession(id_creds) | |
| request_url = "https://httpbin.org/get" | |
| response = session.get(request_url, headers = {'Accept': 'application/json'}) | |
| print(response.json()) | |
| # get self_signed JWT | |
| # you need impersonation for this | |
| client = iam_credentials_v1.services.iam_credentials.IAMCredentialsClient(credentials=source_credentials) | |
| name = "projects/-/serviceAccounts/{}".format(target_credentials) | |
| now = int(time.time()) | |
| exptime = now + 5 | |
| payload = { | |
| "iss": target_credentials, | |
| "email": target_credentials, | |
| "aud": target_audience, | |
| "sub": target_credentials, | |
| "exp": exptime, | |
| "iat": now | |
| } | |
| jwt_token = client.sign_jwt(name=name,payload=json.dumps(payload)) | |
| jwt_credentials = google.oauth2.credentials.Credentials(jwt_token.signed_jwt) | |
| session = google.auth.transport.requests.AuthorizedSession(jwt_credentials) | |
| request_url = "https://httpbin.org/get" | |
| response = session.get(request_url, headers = {'Accept': 'application/json'}) | |
| print(response.json()) | |
| return "ok" | |
| if __name__ == '__main__': | |
| app.run(host='127.0.0.1', port=8080, debug=True) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment