salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 1 | # Copyright 2018 Google Inc. |
| 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | # you may not use this file except in compliance with the License. |
| 5 | # You may obtain a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | # See the License for the specific language governing permissions and |
| 13 | # limitations under the License. |
| 14 | |
| 15 | """Google Cloud Impersonated credentials. |
| 16 | |
| 17 | This module provides authentication for applications where local credentials |
| 18 | impersonates a remote service account using `IAM Credentials API`_. |
| 19 | |
| 20 | This class can be used to impersonate a service account as long as the original |
| 21 | Credential object has the "Service Account Token Creator" role on the target |
| 22 | service account. |
| 23 | |
| 24 | .. _IAM Credentials API: |
| 25 | https://cloud.google.com/iam/credentials/reference/rest/ |
| 26 | """ |
| 27 | |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 28 | import base64 |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 29 | import copy |
| 30 | from datetime import datetime |
| 31 | import json |
| 32 | |
| 33 | import six |
| 34 | from six.moves import http_client |
| 35 | |
| 36 | from google.auth import _helpers |
| 37 | from google.auth import credentials |
| 38 | from google.auth import exceptions |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 39 | from google.auth import jwt |
| 40 | from google.auth.transport.requests import AuthorizedSession |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 41 | |
| 42 | _DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds |
| 43 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 44 | _IAM_SCOPE = ["https://www.googleapis.com/auth/iam"] |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 45 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 46 | _IAM_ENDPOINT = ( |
| 47 | "https://iamcredentials.googleapis.com/v1/projects/-" |
| 48 | + "/serviceAccounts/{}:generateAccessToken" |
| 49 | ) |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 50 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 51 | _IAM_SIGN_ENDPOINT = ( |
| 52 | "https://iamcredentials.googleapis.com/v1/projects/-" |
| 53 | + "/serviceAccounts/{}:signBlob" |
| 54 | ) |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 55 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 56 | _IAM_IDTOKEN_ENDPOINT = ( |
| 57 | "https://iamcredentials.googleapis.com/v1/" |
| 58 | + "projects/-/serviceAccounts/{}:generateIdToken" |
| 59 | ) |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 60 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 61 | _REFRESH_ERROR = "Unable to acquire impersonated credentials" |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 62 | |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 63 | _DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds |
| 64 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 65 | _DEFAULT_TOKEN_URI = "https://oauth2.googleapis.com/token" |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 66 | |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 67 | |
| 68 | def _make_iam_token_request(request, principal, headers, body): |
| 69 | """Makes a request to the Google Cloud IAM service for an access token. |
| 70 | Args: |
| 71 | request (Request): The Request object to use. |
| 72 | principal (str): The principal to request an access token for. |
| 73 | headers (Mapping[str, str]): Map of headers to transmit. |
| 74 | body (Mapping[str, str]): JSON Payload body for the iamcredentials |
| 75 | API call. |
| 76 | |
| 77 | Raises: |
| 78 | TransportError: Raised if there is an underlying HTTP connection |
| 79 | Error |
| 80 | DefaultCredentialsError: Raised if the impersonated credentials |
| 81 | are not available. Common reasons are |
| 82 | `iamcredentials.googleapis.com` is not enabled or the |
| 83 | `Service Account Token Creator` is not assigned |
| 84 | """ |
| 85 | iam_endpoint = _IAM_ENDPOINT.format(principal) |
| 86 | |
Bu Sun Kim | a57a770 | 2020-01-10 13:17:34 -0800 | [diff] [blame] | 87 | body = json.dumps(body).encode("utf-8") |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 88 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 89 | response = request(url=iam_endpoint, method="POST", headers=headers, body=body) |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 90 | |
arithmetic1728 | 9b7228e | 2020-05-06 17:11:01 -0700 | [diff] [blame^] | 91 | # support both string and bytes type response.data |
arithmetic1728 | e115bae | 2020-05-06 16:00:17 -0700 | [diff] [blame] | 92 | response_body = ( |
| 93 | response.data.decode("utf-8") |
| 94 | if hasattr(response.data, "decode") |
| 95 | else response.data |
| 96 | ) |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 97 | |
| 98 | if response.status != http_client.OK: |
| 99 | exceptions.RefreshError(_REFRESH_ERROR, response_body) |
| 100 | |
| 101 | try: |
arithmetic1728 | e115bae | 2020-05-06 16:00:17 -0700 | [diff] [blame] | 102 | token_response = json.loads(response_body) |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 103 | token = token_response["accessToken"] |
| 104 | expiry = datetime.strptime(token_response["expireTime"], "%Y-%m-%dT%H:%M:%SZ") |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 105 | |
| 106 | return token, expiry |
| 107 | |
| 108 | except (KeyError, ValueError) as caught_exc: |
| 109 | new_exc = exceptions.RefreshError( |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 110 | "{}: No access token or invalid expiration in response.".format( |
| 111 | _REFRESH_ERROR |
| 112 | ), |
| 113 | response_body, |
| 114 | ) |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 115 | six.raise_from(new_exc, caught_exc) |
| 116 | |
| 117 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 118 | class Credentials(credentials.Credentials, credentials.Signing): |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 119 | """This module defines impersonated credentials which are essentially |
| 120 | impersonated identities. |
| 121 | |
| 122 | Impersonated Credentials allows credentials issued to a user or |
| 123 | service account to impersonate another. The target service account must |
| 124 | grant the originating credential principal the |
| 125 | `Service Account Token Creator`_ IAM role: |
| 126 | |
| 127 | For more information about Token Creator IAM role and |
| 128 | IAMCredentials API, see |
| 129 | `Creating Short-Lived Service Account Credentials`_. |
| 130 | |
| 131 | .. _Service Account Token Creator: |
| 132 | https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role |
| 133 | |
| 134 | .. _Creating Short-Lived Service Account Credentials: |
| 135 | https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials |
| 136 | |
| 137 | Usage: |
| 138 | |
| 139 | First grant source_credentials the `Service Account Token Creator` |
| 140 | role on the target account to impersonate. In this example, the |
| 141 | service account represented by svc_account.json has the |
| 142 | token creator role on |
| 143 | `impersonated-account@_project_.iam.gserviceaccount.com`. |
| 144 | |
salrashid123 | b29f262 | 2018-11-12 09:49:16 -0800 | [diff] [blame] | 145 | Enable the IAMCredentials API on the source project: |
| 146 | `gcloud services enable iamcredentials.googleapis.com`. |
| 147 | |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 148 | Initialize a source credential which does not have access to |
| 149 | list bucket:: |
| 150 | |
| 151 | from google.oauth2 import service_acccount |
| 152 | |
| 153 | target_scopes = [ |
| 154 | 'https://www.googleapis.com/auth/devstorage.read_only'] |
| 155 | |
| 156 | source_credentials = ( |
| 157 | service_account.Credentials.from_service_account_file( |
| 158 | '/path/to/svc_account.json', |
| 159 | scopes=target_scopes)) |
| 160 | |
| 161 | Now use the source credentials to acquire credentials to impersonate |
| 162 | another service account:: |
| 163 | |
| 164 | from google.auth import impersonated_credentials |
| 165 | |
| 166 | target_credentials = impersonated_credentials.Credentials( |
| 167 | source_credentials=source_credentials, |
| 168 | target_principal='impersonated-account@_project_.iam.gserviceaccount.com', |
| 169 | target_scopes = target_scopes, |
| 170 | lifetime=500) |
| 171 | |
| 172 | Resource access is granted:: |
| 173 | |
| 174 | client = storage.Client(credentials=target_credentials) |
| 175 | buckets = client.list_buckets(project='your_project') |
| 176 | for bucket in buckets: |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 177 | print(bucket.name) |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 178 | """ |
| 179 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 180 | def __init__( |
| 181 | self, |
| 182 | source_credentials, |
| 183 | target_principal, |
| 184 | target_scopes, |
| 185 | delegates=None, |
| 186 | lifetime=_DEFAULT_TOKEN_LIFETIME_SECS, |
| 187 | ): |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 188 | """ |
| 189 | Args: |
| 190 | source_credentials (google.auth.Credentials): The source credential |
| 191 | used as to acquire the impersonated credentials. |
| 192 | target_principal (str): The service account to impersonate. |
| 193 | target_scopes (Sequence[str]): Scopes to request during the |
| 194 | authorization grant. |
| 195 | delegates (Sequence[str]): The chained list of delegates required |
| 196 | to grant the final access_token. If set, the sequence of |
| 197 | identities must have "Service Account Token Creator" capability |
| 198 | granted to the prceeding identity. For example, if set to |
| 199 | [serviceAccountB, serviceAccountC], the source_credential |
| 200 | must have the Token Creator role on serviceAccountB. |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 201 | serviceAccountB must have the Token Creator on |
| 202 | serviceAccountC. |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 203 | Finally, C must have Token Creator on target_principal. |
| 204 | If left unset, source_credential must have that role on |
| 205 | target_principal. |
| 206 | lifetime (int): Number of seconds the delegated credential should |
salrashid123 | b29f262 | 2018-11-12 09:49:16 -0800 | [diff] [blame] | 207 | be valid for (upto 3600). |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 208 | """ |
| 209 | |
| 210 | super(Credentials, self).__init__() |
| 211 | |
| 212 | self._source_credentials = copy.copy(source_credentials) |
Bu Sun Kim | 82e224b | 2020-03-13 13:21:18 -0700 | [diff] [blame] | 213 | # Service account source credentials must have the _IAM_SCOPE |
| 214 | # added to refresh correctly. User credentials cannot have |
| 215 | # their original scopes modified. |
| 216 | if isinstance(self._source_credentials, credentials.Scoped): |
| 217 | self._source_credentials = self._source_credentials.with_scopes(_IAM_SCOPE) |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 218 | self._target_principal = target_principal |
| 219 | self._target_scopes = target_scopes |
| 220 | self._delegates = delegates |
| 221 | self._lifetime = lifetime |
| 222 | self.token = None |
| 223 | self.expiry = _helpers.utcnow() |
| 224 | |
| 225 | @_helpers.copy_docstring(credentials.Credentials) |
| 226 | def refresh(self, request): |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 227 | self._update_token(request) |
| 228 | |
| 229 | @property |
| 230 | def expired(self): |
| 231 | return _helpers.utcnow() >= self.expiry |
| 232 | |
| 233 | def _update_token(self, request): |
| 234 | """Updates credentials with a new access_token representing |
| 235 | the impersonated account. |
| 236 | |
| 237 | Args: |
| 238 | request (google.auth.transport.requests.Request): Request object |
| 239 | to use for refreshing credentials. |
| 240 | """ |
| 241 | |
| 242 | # Refresh our source credentials. |
| 243 | self._source_credentials.refresh(request) |
| 244 | |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 245 | body = { |
| 246 | "delegates": self._delegates, |
| 247 | "scope": self._target_scopes, |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 248 | "lifetime": str(self._lifetime) + "s", |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 249 | } |
| 250 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 251 | headers = {"Content-Type": "application/json"} |
salrashid123 | 1fbc679 | 2018-11-09 11:05:34 -0800 | [diff] [blame] | 252 | |
| 253 | # Apply the source credentials authentication info. |
| 254 | self._source_credentials.apply(headers) |
| 255 | |
| 256 | self.token, self.expiry = _make_iam_token_request( |
| 257 | request=request, |
| 258 | principal=self._target_principal, |
| 259 | headers=headers, |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 260 | body=body, |
| 261 | ) |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 262 | |
| 263 | def sign_bytes(self, message): |
| 264 | |
| 265 | iam_sign_endpoint = _IAM_SIGN_ENDPOINT.format(self._target_principal) |
| 266 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 267 | body = {"payload": base64.b64encode(message), "delegates": self._delegates} |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 268 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 269 | headers = {"Content-Type": "application/json"} |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 270 | |
| 271 | authed_session = AuthorizedSession(self._source_credentials) |
| 272 | |
| 273 | response = authed_session.post( |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 274 | url=iam_sign_endpoint, headers=headers, json=body |
| 275 | ) |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 276 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 277 | return base64.b64decode(response.json()["signedBlob"]) |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 278 | |
| 279 | @property |
| 280 | def signer_email(self): |
| 281 | return self._target_principal |
| 282 | |
| 283 | @property |
| 284 | def service_account_email(self): |
| 285 | return self._target_principal |
| 286 | |
| 287 | @property |
| 288 | def signer(self): |
| 289 | return self |
| 290 | |
| 291 | |
| 292 | class IDTokenCredentials(credentials.Credentials): |
| 293 | """Open ID Connect ID Token-based service account credentials. |
| 294 | |
| 295 | """ |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 296 | |
| 297 | def __init__(self, target_credentials, target_audience=None, include_email=False): |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 298 | """ |
| 299 | Args: |
| 300 | target_credentials (google.auth.Credentials): The target |
| 301 | credential used as to acquire the id tokens for. |
| 302 | target_audience (string): Audience to issue the token for. |
| 303 | include_email (bool): Include email in IdToken |
| 304 | """ |
| 305 | super(IDTokenCredentials, self).__init__() |
| 306 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 307 | if not isinstance(target_credentials, Credentials): |
| 308 | raise exceptions.GoogleAuthError( |
| 309 | "Provided Credential must be " "impersonated_credentials" |
| 310 | ) |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 311 | self._target_credentials = target_credentials |
| 312 | self._target_audience = target_audience |
| 313 | self._include_email = include_email |
| 314 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 315 | def from_credentials(self, target_credentials, target_audience=None): |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 316 | return self.__class__( |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 317 | target_credentials=self._target_credentials, target_audience=target_audience |
| 318 | ) |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 319 | |
| 320 | def with_target_audience(self, target_audience): |
| 321 | return self.__class__( |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 322 | target_credentials=self._target_credentials, target_audience=target_audience |
| 323 | ) |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 324 | |
| 325 | def with_include_email(self, include_email): |
| 326 | return self.__class__( |
| 327 | target_credentials=self._target_credentials, |
| 328 | target_audience=self._target_audience, |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 329 | include_email=include_email, |
| 330 | ) |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 331 | |
| 332 | @_helpers.copy_docstring(credentials.Credentials) |
| 333 | def refresh(self, request): |
| 334 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 335 | iam_sign_endpoint = _IAM_IDTOKEN_ENDPOINT.format( |
| 336 | self._target_credentials.signer_email |
| 337 | ) |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 338 | |
| 339 | body = { |
| 340 | "audience": self._target_audience, |
| 341 | "delegates": self._target_credentials._delegates, |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 342 | "includeEmail": self._include_email, |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 343 | } |
| 344 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 345 | headers = {"Content-Type": "application/json"} |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 346 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 347 | authed_session = AuthorizedSession(self._target_credentials._source_credentials) |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 348 | |
| 349 | response = authed_session.post( |
| 350 | url=iam_sign_endpoint, |
| 351 | headers=headers, |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 352 | data=json.dumps(body).encode("utf-8"), |
| 353 | ) |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 354 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 355 | id_token = response.json()["token"] |
salrashid123 | 7a8641a | 2019-08-07 14:31:33 -0700 | [diff] [blame] | 356 | self.token = id_token |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 357 | self.expiry = datetime.fromtimestamp(jwt.decode(id_token, verify=False)["exp"]) |