blob: 70fa5dc9c3cb2b6698df9e490a2388ab820c64d7 [file] [log] [blame]
salrashid1231fbc6792018-11-09 11:05:34 -08001# Copyright 2018 Google Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15"""Google Cloud Impersonated credentials.
16
17This module provides authentication for applications where local credentials
18impersonates a remote service account using `IAM Credentials API`_.
19
20This class can be used to impersonate a service account as long as the original
21Credential object has the "Service Account Token Creator" role on the target
22service account.
23
24 .. _IAM Credentials API:
25 https://cloud.google.com/iam/credentials/reference/rest/
26"""
27
salrashid1237a8641a2019-08-07 14:31:33 -070028import base64
salrashid1231fbc6792018-11-09 11:05:34 -080029import copy
30from datetime import datetime
31import json
32
33import six
34from six.moves import http_client
35
36from google.auth import _helpers
37from google.auth import credentials
38from google.auth import exceptions
salrashid1237a8641a2019-08-07 14:31:33 -070039from google.auth import jwt
40from google.auth.transport.requests import AuthorizedSession
salrashid1231fbc6792018-11-09 11:05:34 -080041
42_DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds
43
Bu Sun Kim9eec0912019-10-21 17:04:21 -070044_IAM_SCOPE = ["https://www.googleapis.com/auth/iam"]
salrashid1231fbc6792018-11-09 11:05:34 -080045
Bu Sun Kim9eec0912019-10-21 17:04:21 -070046_IAM_ENDPOINT = (
47 "https://iamcredentials.googleapis.com/v1/projects/-"
48 + "/serviceAccounts/{}:generateAccessToken"
49)
salrashid1231fbc6792018-11-09 11:05:34 -080050
Bu Sun Kim9eec0912019-10-21 17:04:21 -070051_IAM_SIGN_ENDPOINT = (
52 "https://iamcredentials.googleapis.com/v1/projects/-"
53 + "/serviceAccounts/{}:signBlob"
54)
salrashid1237a8641a2019-08-07 14:31:33 -070055
Bu Sun Kim9eec0912019-10-21 17:04:21 -070056_IAM_IDTOKEN_ENDPOINT = (
57 "https://iamcredentials.googleapis.com/v1/"
58 + "projects/-/serviceAccounts/{}:generateIdToken"
59)
salrashid1237a8641a2019-08-07 14:31:33 -070060
Bu Sun Kim9eec0912019-10-21 17:04:21 -070061_REFRESH_ERROR = "Unable to acquire impersonated credentials"
salrashid1231fbc6792018-11-09 11:05:34 -080062
salrashid1237a8641a2019-08-07 14:31:33 -070063_DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds
64
Bu Sun Kim9eec0912019-10-21 17:04:21 -070065_DEFAULT_TOKEN_URI = "https://oauth2.googleapis.com/token"
salrashid1237a8641a2019-08-07 14:31:33 -070066
salrashid1231fbc6792018-11-09 11:05:34 -080067
68def _make_iam_token_request(request, principal, headers, body):
69 """Makes a request to the Google Cloud IAM service for an access token.
70 Args:
71 request (Request): The Request object to use.
72 principal (str): The principal to request an access token for.
73 headers (Mapping[str, str]): Map of headers to transmit.
74 body (Mapping[str, str]): JSON Payload body for the iamcredentials
75 API call.
76
77 Raises:
78 TransportError: Raised if there is an underlying HTTP connection
79 Error
80 DefaultCredentialsError: Raised if the impersonated credentials
81 are not available. Common reasons are
82 `iamcredentials.googleapis.com` is not enabled or the
83 `Service Account Token Creator` is not assigned
84 """
85 iam_endpoint = _IAM_ENDPOINT.format(principal)
86
87 body = json.dumps(body)
88
Bu Sun Kim9eec0912019-10-21 17:04:21 -070089 response = request(url=iam_endpoint, method="POST", headers=headers, body=body)
salrashid1231fbc6792018-11-09 11:05:34 -080090
Bu Sun Kim9eec0912019-10-21 17:04:21 -070091 response_body = response.data.decode("utf-8")
salrashid1231fbc6792018-11-09 11:05:34 -080092
93 if response.status != http_client.OK:
94 exceptions.RefreshError(_REFRESH_ERROR, response_body)
95
96 try:
Bu Sun Kim9eec0912019-10-21 17:04:21 -070097 token_response = json.loads(response.data.decode("utf-8"))
98 token = token_response["accessToken"]
99 expiry = datetime.strptime(token_response["expireTime"], "%Y-%m-%dT%H:%M:%SZ")
salrashid1231fbc6792018-11-09 11:05:34 -0800100
101 return token, expiry
102
103 except (KeyError, ValueError) as caught_exc:
104 new_exc = exceptions.RefreshError(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700105 "{}: No access token or invalid expiration in response.".format(
106 _REFRESH_ERROR
107 ),
108 response_body,
109 )
salrashid1231fbc6792018-11-09 11:05:34 -0800110 six.raise_from(new_exc, caught_exc)
111
112
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700113class Credentials(credentials.Credentials, credentials.Signing):
salrashid1231fbc6792018-11-09 11:05:34 -0800114 """This module defines impersonated credentials which are essentially
115 impersonated identities.
116
117 Impersonated Credentials allows credentials issued to a user or
118 service account to impersonate another. The target service account must
119 grant the originating credential principal the
120 `Service Account Token Creator`_ IAM role:
121
122 For more information about Token Creator IAM role and
123 IAMCredentials API, see
124 `Creating Short-Lived Service Account Credentials`_.
125
126 .. _Service Account Token Creator:
127 https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role
128
129 .. _Creating Short-Lived Service Account Credentials:
130 https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials
131
132 Usage:
133
134 First grant source_credentials the `Service Account Token Creator`
135 role on the target account to impersonate. In this example, the
136 service account represented by svc_account.json has the
137 token creator role on
138 `impersonated-account@_project_.iam.gserviceaccount.com`.
139
salrashid123b29f2622018-11-12 09:49:16 -0800140 Enable the IAMCredentials API on the source project:
141 `gcloud services enable iamcredentials.googleapis.com`.
142
salrashid1231fbc6792018-11-09 11:05:34 -0800143 Initialize a source credential which does not have access to
144 list bucket::
145
146 from google.oauth2 import service_acccount
147
148 target_scopes = [
149 'https://www.googleapis.com/auth/devstorage.read_only']
150
151 source_credentials = (
152 service_account.Credentials.from_service_account_file(
153 '/path/to/svc_account.json',
154 scopes=target_scopes))
155
156 Now use the source credentials to acquire credentials to impersonate
157 another service account::
158
159 from google.auth import impersonated_credentials
160
161 target_credentials = impersonated_credentials.Credentials(
162 source_credentials=source_credentials,
163 target_principal='impersonated-account@_project_.iam.gserviceaccount.com',
164 target_scopes = target_scopes,
165 lifetime=500)
166
167 Resource access is granted::
168
169 client = storage.Client(credentials=target_credentials)
170 buckets = client.list_buckets(project='your_project')
171 for bucket in buckets:
salrashid1237a8641a2019-08-07 14:31:33 -0700172 print(bucket.name)
salrashid1231fbc6792018-11-09 11:05:34 -0800173 """
174
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700175 def __init__(
176 self,
177 source_credentials,
178 target_principal,
179 target_scopes,
180 delegates=None,
181 lifetime=_DEFAULT_TOKEN_LIFETIME_SECS,
182 ):
salrashid1231fbc6792018-11-09 11:05:34 -0800183 """
184 Args:
185 source_credentials (google.auth.Credentials): The source credential
186 used as to acquire the impersonated credentials.
187 target_principal (str): The service account to impersonate.
188 target_scopes (Sequence[str]): Scopes to request during the
189 authorization grant.
190 delegates (Sequence[str]): The chained list of delegates required
191 to grant the final access_token. If set, the sequence of
192 identities must have "Service Account Token Creator" capability
193 granted to the prceeding identity. For example, if set to
194 [serviceAccountB, serviceAccountC], the source_credential
195 must have the Token Creator role on serviceAccountB.
salrashid1237a8641a2019-08-07 14:31:33 -0700196 serviceAccountB must have the Token Creator on
197 serviceAccountC.
salrashid1231fbc6792018-11-09 11:05:34 -0800198 Finally, C must have Token Creator on target_principal.
199 If left unset, source_credential must have that role on
200 target_principal.
201 lifetime (int): Number of seconds the delegated credential should
salrashid123b29f2622018-11-12 09:49:16 -0800202 be valid for (upto 3600).
salrashid1231fbc6792018-11-09 11:05:34 -0800203 """
204
205 super(Credentials, self).__init__()
206
207 self._source_credentials = copy.copy(source_credentials)
208 self._source_credentials._scopes = _IAM_SCOPE
209 self._target_principal = target_principal
210 self._target_scopes = target_scopes
211 self._delegates = delegates
212 self._lifetime = lifetime
213 self.token = None
214 self.expiry = _helpers.utcnow()
215
216 @_helpers.copy_docstring(credentials.Credentials)
217 def refresh(self, request):
salrashid1231fbc6792018-11-09 11:05:34 -0800218 self._update_token(request)
219
220 @property
221 def expired(self):
222 return _helpers.utcnow() >= self.expiry
223
224 def _update_token(self, request):
225 """Updates credentials with a new access_token representing
226 the impersonated account.
227
228 Args:
229 request (google.auth.transport.requests.Request): Request object
230 to use for refreshing credentials.
231 """
232
233 # Refresh our source credentials.
234 self._source_credentials.refresh(request)
235
salrashid1231fbc6792018-11-09 11:05:34 -0800236 body = {
237 "delegates": self._delegates,
238 "scope": self._target_scopes,
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700239 "lifetime": str(self._lifetime) + "s",
salrashid1231fbc6792018-11-09 11:05:34 -0800240 }
241
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700242 headers = {"Content-Type": "application/json"}
salrashid1231fbc6792018-11-09 11:05:34 -0800243
244 # Apply the source credentials authentication info.
245 self._source_credentials.apply(headers)
246
247 self.token, self.expiry = _make_iam_token_request(
248 request=request,
249 principal=self._target_principal,
250 headers=headers,
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700251 body=body,
252 )
salrashid1237a8641a2019-08-07 14:31:33 -0700253
254 def sign_bytes(self, message):
255
256 iam_sign_endpoint = _IAM_SIGN_ENDPOINT.format(self._target_principal)
257
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700258 body = {"payload": base64.b64encode(message), "delegates": self._delegates}
salrashid1237a8641a2019-08-07 14:31:33 -0700259
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700260 headers = {"Content-Type": "application/json"}
salrashid1237a8641a2019-08-07 14:31:33 -0700261
262 authed_session = AuthorizedSession(self._source_credentials)
263
264 response = authed_session.post(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700265 url=iam_sign_endpoint, headers=headers, json=body
266 )
salrashid1237a8641a2019-08-07 14:31:33 -0700267
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700268 return base64.b64decode(response.json()["signedBlob"])
salrashid1237a8641a2019-08-07 14:31:33 -0700269
270 @property
271 def signer_email(self):
272 return self._target_principal
273
274 @property
275 def service_account_email(self):
276 return self._target_principal
277
278 @property
279 def signer(self):
280 return self
281
282
283class IDTokenCredentials(credentials.Credentials):
284 """Open ID Connect ID Token-based service account credentials.
285
286 """
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700287
288 def __init__(self, target_credentials, target_audience=None, include_email=False):
salrashid1237a8641a2019-08-07 14:31:33 -0700289 """
290 Args:
291 target_credentials (google.auth.Credentials): The target
292 credential used as to acquire the id tokens for.
293 target_audience (string): Audience to issue the token for.
294 include_email (bool): Include email in IdToken
295 """
296 super(IDTokenCredentials, self).__init__()
297
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700298 if not isinstance(target_credentials, Credentials):
299 raise exceptions.GoogleAuthError(
300 "Provided Credential must be " "impersonated_credentials"
301 )
salrashid1237a8641a2019-08-07 14:31:33 -0700302 self._target_credentials = target_credentials
303 self._target_audience = target_audience
304 self._include_email = include_email
305
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700306 def from_credentials(self, target_credentials, target_audience=None):
salrashid1237a8641a2019-08-07 14:31:33 -0700307 return self.__class__(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700308 target_credentials=self._target_credentials, target_audience=target_audience
309 )
salrashid1237a8641a2019-08-07 14:31:33 -0700310
311 def with_target_audience(self, target_audience):
312 return self.__class__(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700313 target_credentials=self._target_credentials, target_audience=target_audience
314 )
salrashid1237a8641a2019-08-07 14:31:33 -0700315
316 def with_include_email(self, include_email):
317 return self.__class__(
318 target_credentials=self._target_credentials,
319 target_audience=self._target_audience,
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700320 include_email=include_email,
321 )
salrashid1237a8641a2019-08-07 14:31:33 -0700322
323 @_helpers.copy_docstring(credentials.Credentials)
324 def refresh(self, request):
325
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700326 iam_sign_endpoint = _IAM_IDTOKEN_ENDPOINT.format(
327 self._target_credentials.signer_email
328 )
salrashid1237a8641a2019-08-07 14:31:33 -0700329
330 body = {
331 "audience": self._target_audience,
332 "delegates": self._target_credentials._delegates,
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700333 "includeEmail": self._include_email,
salrashid1237a8641a2019-08-07 14:31:33 -0700334 }
335
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700336 headers = {"Content-Type": "application/json"}
salrashid1237a8641a2019-08-07 14:31:33 -0700337
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700338 authed_session = AuthorizedSession(self._target_credentials._source_credentials)
salrashid1237a8641a2019-08-07 14:31:33 -0700339
340 response = authed_session.post(
341 url=iam_sign_endpoint,
342 headers=headers,
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700343 data=json.dumps(body).encode("utf-8"),
344 )
salrashid1237a8641a2019-08-07 14:31:33 -0700345
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700346 id_token = response.json()["token"]
salrashid1237a8641a2019-08-07 14:31:33 -0700347 self.token = id_token
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700348 self.expiry = datetime.fromtimestamp(jwt.decode(id_token, verify=False)["exp"])