Automatically refresh impersonated credentials (#304)
diff --git a/google/auth/impersonated_credentials.py b/google/auth/impersonated_credentials.py
index ca625b8..32dfe83 100644
--- a/google/auth/impersonated_credentials.py
+++ b/google/auth/impersonated_credentials.py
@@ -44,7 +44,6 @@
'/serviceAccounts/{}:generateAccessToken')
_REFRESH_ERROR = 'Unable to acquire impersonated credentials'
-_LIFETIME_ERROR = 'Credentials with lifetime set cannot be renewed'
def _make_iam_token_request(request, principal, headers, body):
@@ -122,6 +121,9 @@
token creator role on
`impersonated-account@_project_.iam.gserviceaccount.com`.
+ Enable the IAMCredentials API on the source project:
+ `gcloud services enable iamcredentials.googleapis.com`.
+
Initialize a source credential which does not have access to
list bucket::
@@ -156,7 +158,7 @@
def __init__(self, source_credentials, target_principal,
target_scopes, delegates=None,
- lifetime=None):
+ lifetime=_DEFAULT_TOKEN_LIFETIME_SECS):
"""
Args:
source_credentials (google.auth.Credentials): The source credential
@@ -175,9 +177,7 @@
If left unset, source_credential must have that role on
target_principal.
lifetime (int): Number of seconds the delegated credential should
- be valid for (upto 3600). If set, the credentials will
- **not** get refreshed after expiration. If not set, the
- credentials will be refreshed every 3600s.
+ be valid for (upto 3600).
"""
super(Credentials, self).__init__()
@@ -193,10 +193,6 @@
@_helpers.copy_docstring(credentials.Credentials)
def refresh(self, request):
- if (self.token is not None and self._lifetime is not None):
- self.expiry = _helpers.utcnow()
- raise exceptions.RefreshError(_LIFETIME_ERROR)
- self._source_credentials.refresh(request)
self._update_token(request)
@property
@@ -215,14 +211,10 @@
# Refresh our source credentials.
self._source_credentials.refresh(request)
- lifetime = self._lifetime
- if (self._lifetime is None):
- lifetime = _DEFAULT_TOKEN_LIFETIME_SECS
-
body = {
"delegates": self._delegates,
"scope": self._target_scopes,
- "lifetime": str(lifetime) + "s"
+ "lifetime": str(self._lifetime) + "s"
}
headers = {
diff --git a/tests/test_impersonated_credentials.py b/tests/test_impersonated_credentials.py
index 74342ce..68a2af8 100644
--- a/tests/test_impersonated_credentials.py
+++ b/tests/test_impersonated_credentials.py
@@ -133,32 +133,6 @@
assert not credentials.valid
assert credentials.expired
- def test_refresh_failure_lifetime_specified(self, mock_donor_credentials):
- credentials = self.make_credentials(lifetime=500)
- token = 'token'
-
- expire_time = (
- _helpers.utcnow().replace(microsecond=0) +
- datetime.timedelta(seconds=500)).isoformat('T') + 'Z'
- response_body = {
- "accessToken": token,
- "expireTime": expire_time
- }
-
- request = self.make_request(
- data=json.dumps(response_body),
- status=http_client.OK)
-
- credentials.refresh(request)
-
- with pytest.raises(exceptions.RefreshError) as excinfo:
- credentials.refresh(request)
-
- assert excinfo.match(impersonated_credentials._LIFETIME_ERROR)
-
- assert not credentials.valid
- assert credentials.expired
-
def test_refresh_failure_unauthorzed(self, mock_donor_credentials):
credentials = self.make_credentials(lifetime=None)