Revert "fix: migrate signBlob to iamcredentials.googleapis.com" (#563)
Reverts googleapis/google-auth-library-python#553
We have received reports that this is breaking users. See internal issue 161506225.
diff --git a/.gitignore b/.gitignore
index f01e60e..6d86d1f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,6 +41,3 @@
pytype_output/
.python-version
-.DS_Store
-cert_path
-key_path
\ No newline at end of file
diff --git a/google/auth/iam.py b/google/auth/iam.py
index 9e38879..bd05004 100644
--- a/google/auth/iam.py
+++ b/google/auth/iam.py
@@ -28,7 +28,7 @@
from google.auth import crypt
from google.auth import exceptions
-_IAM_API_ROOT_URI = "https://iamcredentials.googleapis.com/v1"
+_IAM_API_ROOT_URI = "https://iam.googleapis.com/v1"
_SIGN_BLOB_URI = _IAM_API_ROOT_URI + "/projects/-/serviceAccounts/{}:signBlob?alt=json"
@@ -71,7 +71,7 @@
url = _SIGN_BLOB_URI.format(self._service_account_email)
headers = {}
body = json.dumps(
- {"payload": base64.b64encode(message).decode("utf-8")}
+ {"bytesToSign": base64.b64encode(message).decode("utf-8")}
).encode("utf-8")
self._credentials.before_request(self._request, method, url, headers)
@@ -97,4 +97,4 @@
@_helpers.copy_docstring(crypt.Signer)
def sign(self, message):
response = self._make_signing_request(message)
- return base64.b64decode(response["signedBlob"])
+ return base64.b64decode(response["signature"])
diff --git a/system_tests/test_service_account.py b/system_tests/test_service_account.py
index 498b75b..262ce84 100644
--- a/system_tests/test_service_account.py
+++ b/system_tests/test_service_account.py
@@ -16,7 +16,6 @@
from google.auth import _helpers
from google.auth import exceptions
-from google.auth import iam
from google.oauth2 import service_account
@@ -47,19 +46,3 @@
"https://www.googleapis.com/auth/userinfo.profile",
]
)
-
-def test_iam_signer(http_request, credentials):
- credentials = credentials.with_scopes(
- ["https://www.googleapis.com/auth/iam"]
- )
-
- # Verify iamcredentials signer.
- signer = iam.Signer(
- http_request,
- credentials,
- credentials.service_account_email
- )
-
- signed_blob = signer.sign("message")
-
- assert isinstance(signed_blob, bytes)
diff --git a/tests/compute_engine/test_credentials.py b/tests/compute_engine/test_credentials.py
index 4ee6536..8c95e24 100644
--- a/tests/compute_engine/test_credentials.py
+++ b/tests/compute_engine/test_credentials.py
@@ -363,11 +363,11 @@
signature = base64.b64encode(b"some-signature").decode("utf-8")
responses.add(
responses.POST,
- "https://iamcredentials.googleapis.com/v1/projects/-/"
- "serviceAccounts/service-account@example.com:signBlob?alt=json",
+ "https://iam.googleapis.com/v1/projects/-/serviceAccounts/"
+ "service-account@example.com:signBlob?alt=json",
status=200,
content_type="application/json",
- json={"keyId": "some-key-id", "signedBlob": signature},
+ json={"keyId": "some-key-id", "signature": signature},
)
id_token = "{}.{}.{}".format(
@@ -477,11 +477,11 @@
signature = base64.b64encode(b"some-signature").decode("utf-8")
responses.add(
responses.POST,
- "https://iamcredentials.googleapis.com/v1/projects/-/"
- "serviceAccounts/service-account@example.com:signBlob?alt=json",
+ "https://iam.googleapis.com/v1/projects/-/serviceAccounts/"
+ "service-account@example.com:signBlob?alt=json",
status=200,
content_type="application/json",
- json={"keyId": "some-key-id", "signedBlob": signature},
+ json={"keyId": "some-key-id", "signature": signature},
)
id_token = "{}.{}.{}".format(
diff --git a/tests/test_iam.py b/tests/test_iam.py
index e20eeba..4367fe7 100644
--- a/tests/test_iam.py
+++ b/tests/test_iam.py
@@ -81,7 +81,7 @@
def test_sign_bytes(self):
signature = b"DEADBEEF"
encoded_signature = base64.b64encode(signature).decode("utf-8")
- request = make_request(http_client.OK, data={"signedBlob": encoded_signature})
+ request = make_request(http_client.OK, data={"signature": encoded_signature})
credentials = make_credentials()
signer = iam.Signer(request, credentials, mock.sentinel.service_account_email)