From 656307d40941d2b72bb41e15238ebabba5ab6f52 Mon Sep 17 00:00:00 2001 From: sai-sunder-s <4540365+sai-sunder-s@users.noreply.github.com> Date: Fri, 8 Nov 2024 17:05:53 +0000 Subject: [PATCH] fix: improve user guide for Impersonation and SA (#1627) * fix: improve user guide for Impersonation and SA * moved sa to end --- docs/user-guide.rst | 112 +++++++++++++++++++---------------- system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes 2 files changed, 60 insertions(+), 52 deletions(-) diff --git a/docs/user-guide.rst b/docs/user-guide.rst index e9ad000e5..3545a8a31 100644 --- a/docs/user-guide.rst +++ b/docs/user-guide.rst @@ -62,57 +62,6 @@ store service account private keys locally. .. _Google Cloud SDK: https://cloud.google.com/sdk -Service account private key files -+++++++++++++++++++++++++++++++++ - -A service account private key file can be used to obtain credentials for a -service account. You can create a private key using the `Credentials page of the -Google Cloud Console`_. Once you have a private key you can either obtain -credentials one of three ways: - -1. Set the ``GOOGLE_APPLICATION_CREDENTIALS`` environment variable to the full - path to your service account private key file - - .. code-block:: bash - - $ export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json - - Then, use :ref:`application default credentials `. - :func:`default` checks for the ``GOOGLE_APPLICATION_CREDENTIALS`` - environment variable before all other checks, so this will always use the - credentials you explicitly specify. - -2. Use :meth:`service_account.Credentials.from_service_account_file - `:: - - from google.oauth2 import service_account - - credentials = service_account.Credentials.from_service_account_file( - '/path/to/key.json') - - scoped_credentials = credentials.with_scopes( - ['https://www.googleapis.com/auth/cloud-platform']) - -3. Use :meth:`service_account.Credentials.from_service_account_info - `:: - - import json - - from google.oauth2 import service_account - - json_acct_info = json.loads(function_to_get_json_creds()) - credentials = service_account.Credentials.from_service_account_info( - json_acct_info) - - scoped_credentials = credentials.with_scopes( - ['https://www.googleapis.com/auth/cloud-platform']) - -.. warning:: Private keys must be kept secret. If you expose your private key it - is recommended to revoke it immediately from the Google Cloud Console. - -.. _Credentials page of the Google Cloud Console: - https://console.cloud.google.com/apis/credentials - Compute Engine, Container Engine, and the App Engine flexible environment +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -231,6 +180,7 @@ You can also use :class:`google_auth_oauthlib.flow.Flow` to perform the OAuth .. _requests-oauthlib: https://requests-oauthlib.readthedocs.io/en/latest/ + External credentials (Workload identity federation) +++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -981,7 +931,8 @@ Impersonated credentials ++++++++++++++++++++++++ Impersonated Credentials allows one set of credentials issued to a user or service account -to impersonate another. The source credentials must be granted +to impersonate a service account. Impersonation is the preferred way of using service account for +local development over downloading the service account key. The source credentials must be granted the "Service Account Token Creator" IAM role. :: from google.auth import impersonated_credentials @@ -1006,6 +957,63 @@ In the example above `source_credentials` does not have direct access to list bu in the target project. Using `ImpersonatedCredentials` will allow the source_credentials to assume the identity of a target_principal that does have access. +It is possible to provide a delegation chain through `delegates` paramter while +initializing the impersonated credential. Refer `create short lived credentials delegated`_ for more details on delegation chain. + +.. _create short lived credentials delegated: https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated + + +Service account private key files ++++++++++++++++++++++++++++++++++ + +A service account private key file can be used to obtain credentials for a service account. If you are not +able to use any of the authentication methods listed above, you can create a private key using `Credentials page of the +Google Cloud Console`_. Once you have a private key you can obtain +credentials one of three ways: + +1. Set the ``GOOGLE_APPLICATION_CREDENTIALS`` environment variable to the full + path to your service account private key file + + .. code-block:: bash + + $ export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json + + Then, use :ref:`application default credentials `. + :func:`default` checks for the ``GOOGLE_APPLICATION_CREDENTIALS`` + environment variable before all other checks, so this will always use the + credentials you explicitly specify. + +2. Use :meth:`service_account.Credentials.from_service_account_file + `:: + + from google.oauth2 import service_account + + credentials = service_account.Credentials.from_service_account_file( + '/path/to/key.json') + + scoped_credentials = credentials.with_scopes( + ['https://www.googleapis.com/auth/cloud-platform']) + +3. Use :meth:`service_account.Credentials.from_service_account_info + `:: + + import json + + from google.oauth2 import service_account + + json_acct_info = json.loads(function_to_get_json_creds()) + credentials = service_account.Credentials.from_service_account_info( + json_acct_info) + + scoped_credentials = credentials.with_scopes( + ['https://www.googleapis.com/auth/cloud-platform']) + +.. warning:: Private keys must be kept secret. If you expose your private key it + is recommended to revoke it immediately from the Google Cloud Console. + +.. _Credentials page of the Google Cloud Console: + https://console.cloud.google.com/apis/credentials + Downscoped credentials ++++++++++++++++++++++ diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc index d0d4ce70215274b2e2ad05b9a5ce70940a328d5c..590ca713ab5ed999f5545f238a7e6c86ca2f9fc4 100644 GIT binary patch literal 10324 zcmV-aD67{BB>?tKRTIw1%Qy#~di@_4Ofa>J{MD#8JJeD4pL5PY7cOTp&e{^HPyh@) z@m+X8K~D|Uf~VZtBO@(H)1PGK6?+AU9s)Yu_j_V?aTWD^6M&(7wL0(UQk+>#H{uuR4wPCiyRmUIZsDQ;{Th>`5 z?Z6-k&ad;j`(&4&(@jskc=P*~0kyv`v#kp0GTt39K6Cw(AAj5WqjgSSFudnYB>uR} z=Q#PSZL|WKHn^pIzBU$jCE+`9JDbc5>!hste9Xb)b@D}Y`6dASK4UlZT5*f|_b4zK zLXXKK)5Z!*X`JO{UrcMgk*;+PY=<~$AO&T}i8lRxSWce^9$gHu8 zZCbuT!UAr7>GmhN{hA|0n)&amM$Lq;DwImXFn)>Nuv5`v+VdWENAgn5mDrY1ieT3&Tf)i9E17=diriG;sA zvdDL)gSQZ%ZJiKc{MFxnx1FPh{697ik3jHAc8x8uA}3&P=U)y{l3tBi7vL3<)__Q@ z2X)Rm3+8MyDFk5}L~2nz7s@v%eFxk0^&V|jXqUVSe4n~wxWVAsc`ARf^2xF2ic7ms zJF~57eCGAFIY5ZZ(?~fY^O?YPESi@PZ5piFvt1F4{H5VCO!sNf+br^ShbC)|sk4L; zvLyxETk2@8W3b;r&*dIjFk_59VhO^v@~N}QAFDG(=$(7ySzTOG(6l6OzNEvS1OA_8!r zUOH=za%fHaW*CLCl}D$oU2GkQSKLLgoci*M=)5s|b>#{N_KBeP)!YKVKA*f~IL2o< zo5hEVrND^Ygk|AdMxUv|S!4$yT3+e?mO{ukbE7EhlCmD6f0#=9Y(xlz+-j~qY)nRe zH31|+2pD9&SgT?BYArr?3?zj4x|A5cOaSo!dj<=JuIogIvNA^i;KQFK=u`>-=pY*Z zOeyTyAd(F%F?$jyC9J<3yu6Ix5!_g?k+wJ>((GttSeE&PPl68R6gNR_LgXWx7utUw zS5xQ+>2P|L)4)xwV^f!d)g&jokdPLoblesDt!YytmBQ|yq|j-{eF)5`0lae9BSmiJ=4=N+ z5Z3WG2Wd)>nH&Q-m^SOz7t}mi`F%aJ;o?Hp3@vD3Hs6Ss(z8$4?I`pQ#&)Ox(a6;3S{e-;P_i|f&OQLMq5qaH-II#=IwIA~b2KEP^a>+j zL)|m2fO;@Tuy3-3gB9YfUo5(rY#c@T&~W0z5-~IMuMjy=;7Jw^#w8Nek3$E@k%Pz=^3wdIr=*zt^ zsGVzD>QLeBQKKyI*bb})=t5Oz@(+IFBf=m-)w>Yfi44%g52TDrG)%}l5xtxoTmErY z?F;DAW|m8rnT(sDObuH-7w?4v5BXO)f@QJs1<<0}?)0@n){cfnmVMSqojKzK#ZC%6 z^*r@HX5Px&wOZMpJnsoXMnW?R7YtIC01N59yIBE%c?(m*$&ub7(SVhff;l^LJNE}# z{dojIw+7Qh_7IZ!`!S*P5=l;#MN#V~B#qITN2Oi@3f9+YtMy+M%ay&Ujz2Q&WGgOI|9*4Cm-v?OZ(;qbiT&T$*)F- zT@G`w19WeTgIf=tYYe9csryMi+apTmj(fB8G1ayiMId2WLw}yLfCNn(>Er*a_G75* z#s~LPHxy|aumT;tEzcB zka*kzmJq#bo!TQGIblvRe0kn}93Uv3ST+mH>)dq3v!hA*L?|o;V+z z(Y>Y3@D?h%`_pB(VC53cR`C4Q^eWH1=+)fkg9{pz)4+)_RfptotQaLd|B@x3M0a=FdzD>6eA1IB?t0fmsH3{qMwUYd~5ha1DPME3~fc=Qs#WNEDUC)o^lgfk+>@^8*~Ly z^Md}Hc0X%UsY+>}#Z-Ny%L7w5dCOqPVRU?U^hNqm&jGCt=z#gAo2HG>XNBj^^Qd;` z6A>$k?dDi*#&&t%QNZF!)sjEJ&D#$32Fw#2;r%y{!h6YpVD-F)0HdJ`em_-BVNOR9;*vIg8JxPQmf!YtfAx9E!bnoz_Mz9sKU zY3e`ap8k}_T?L3?%ap`=+@Wh}dLV*?-I4b50RM{viXPja#fYXO6h}JGv=P2w!Rh+! zZhn$~Mtw*9Y|o#1mo#-h5E#L#G_HOT9%bAb@YYzceLa&7UJlD;x%4xU{75O^*%|`k zOX&uP88+e--sDXW?|z`$EbDJwH;O_GRAq_I#iSf9(wESXUfh!d9oYz(3p&<#c(NvS z{1;CKFIc#%izg)@*5#-32A-o?A>e5H+4+z|%A#u2%qHm3dcww_o$4&HlorV`f)$5RzG zkCnX2jM?Wo2*L`)sQXQXwn9SIL4qc)IQE%98implS=NjsZk~B80rA@T&DWB;I*!F& zCWDlexnx$B-qX%)n>9zsk`4uzAp_Z#vba#Sb%|K6{T@X!W@=$>^8|Gk{mn_IwlH$y z1Xx|oxq*4i{X?21+^@&=r|OtLQpc}ep)p^PXA75!4wm7G8y>bTRK*{{Ek+Wfiv6%^ z#@x=bpPk>~i$EU4eIID0G^*Hftstgr7y(;vIiqLvc*SfW zg-<7dfwF}Sm@3zD{P~U23+wely=@OK9-Vs3!cQL4E%jWXgJ}(Jh5Nbqx$fTkq%&Fj zMr5g5{qMAPsv#}itmRI2xp3?#I;5Kf{@P|uzH=GY29~=3+-AtJ@vnVPs|Jebo{HgO zobR|jp0(96TRB3kSSCU-&*XZ)79u3!BK?Z7IsdoNu!RRZQ`^EP zQ>{^faJ{chg&*Y415N{chS} zuBadJlCh7bh|Wi`n5yVqb$F(L5AKO`=lN_uhYSQ zg^3`WS!X)1zqH0Ysc;!%wmuND^Hl%n-KoSdz!{?_S)k`^=%=n$dkWNI1a$9itw^}e zONFw0x2yxM{h+?M<&YS*jgMGD)1(;mH5!tahZfLcq+sD$A2n?L>&I(^}%<5VE6|dKg3ToucR2VCzki8)azI3a&yYT$>rQ zYvYzD<#&cp#}N3U7<2DDDq??jMH(!xM zoqyYnh$8T6v4t6%E9@#;oN)&|vF9XYcJxTMp9Nj;b6K#2qqmzekIOYxfz?SWI?3Of z#JRDU<>X4MsnGTn1#YZ6jmA)1cTe}P*+$(E!XcgKN;Tjht2`>L10^lL2ptAXa? zA*iqSS;iPqbC)I12(wGb2vzY} z;RJvqH(Nl(pbx0ckC>-+Rvo3?JsCHuUHuJEDey*~)oP)!bUHkir+dXIF5E33PNR3OOBEyTIpL9UWOU7}hwWN_c9eQ;%C`exKaxmQ3W2C#WWe|os@V?;ClY8mXC}iD@jVH_B=5=q~eA*l$38Jkw@%)}OT*;cSYT1ZaB+5kB2Da`2;5L=kvwy~~nRXkdxo#X59g2**j zMM9n-h^qg+HS=}lzA4n=Qg`hzYLK1`(3hr7IKgiLRlNV(KR>XCx=w2_5CEuwT&`h^ zh0OR`^>(7^V2BcZSzj}oxDgcM9A(JzLzNWDE$?PL1C(MEWWWRqPdRU8tZXWg1y9Vw z+3uUYW4AoukOAkSGUdTo4l zFT5i`XCbR!_3h#F);(jU1yb@+SYlc%eW6v{>Qye!suL0S712)wF&9N&?9@wKFo6(7xa4$;0R z<75-JwA2J02*+n0yH}kFpQ1GAYiO@miqCL-T%P0h2I~>aq51{XA`px-dB|nEfV>Un zg+Q55-&VK;zQh1rotW;a38#Xr-+J;ZtY{)@P2D@9Au2rTh1SAYQzpZkqRB3oU{ zT6&>tSXc(ShfW~}(qw|;u^n&3Q8`BlFy~mM)%lhQR;3n(|B;VWv6lyx1ji$u{_KBZmD@Tu$bj`oEK8vl7b%SD6#GfAfkyCMKz8N^sO z-32=0o+xtXYx&0P2}1;K_$y;}2Qv)gs{B4Du>{TR2;)S(!0W<^GWzaYSZANCb#Ij# zI{g^!+P9D39+x<@he~b+*aV>p;i#FF;$w#E`8Kj%eRD}n*378iTiKk%&9FcD0BC25 zDir#kPDPU&IlAhACJ!BuU#sXxj&QgU5iKkgHl(KJp34w4kVRa_ht*^E`CX)NKIId= zf{12Vv^cVmBjtkzoh**K{Xv7z)Cg^h75!iaAQL+=>sKCC4(90e`tZAiDz8)tPROFH zarq9GhKP0L;P3J+eGgpF_}(xip~xfb(>D8Wp6~8SL8g!zB@=M&dfw5hDG$au#0sBk zBI)npV_*FIit1vh-JRvp?bdvwGWWzpiA%9~$&V&oXg;dVL&c3eUcdhx5U)AAiOp8P z#+q>GR~aus7Ey-Duw!uP(zXCwei&mOcYL;Wf6f$5-71nXh{TpUoyU0{) zDB}-2|Dx_nIs8NC{zP0(gX8oDg{jox7&<}!8GKddVv_q5g8fw5U#33ap042WioF?P2B@=Rfj8Lq)oSpXRAfF-wz z?SCYWAlAXgp>!z0r|^KtqaCBu%%-KPjNJzuU z^ywrr`C;5~CQAA*HpoN%b4U5Kc`#GGF&dPYm8zhG=;be8#$Tu~ zEhB5PIfcmxY#9^Rh}qhwyDM9?H-5-Wfu%%gM*iD2h4)U!!4I;q?Y@O#JIFJ10k6Cp zrwS>X<+DYavvJj2zeob_wP5esc1*t*yrRI!XS(W<@Kigf;=%ejvY~5g3{T=|qbM=; z!R4}f`zYUA?4rW-eK{_H1x%wrd)TU79aTA~Aq_4)0p7dexs1q{>lohuDY@(}uhs0y zd?)iwrbA12r-DU=w(9*r?W@)%fe%q_OHFg6iOzsT!GkOj!CM2lC}SW4d=e8P?rSsK zNaC@#zg|OLR;YWqDOZm!tj~c81?jf>dt>R*rsXWxDJ3%>m^~M($`$8TIh=P|#00le zf&dpvRzIj?LqOeH@a><=Pzkx*UrIP(`l2V-aD`a}Ms!eer;lY{gkLqV3LFH0S-=AE zL7DT7z??p_&hQIj&l32j8yzN_49eKoZ3a|(j7<+S#*Vp383c4{-X3LQs6*k|k_g4i zoOq*8zjUXB9AB|7`d;JP)5O>Rqv$9{o%;cVp1;l{+U8`xB;I2fK`7w~eaBpRdmqu5 z6AO=MEd0dL7o*aCxRgAWeAY)^@W*+o$p23Xu>59zRp6fcHc9Q)eHcg43n@923f6W5%$-o{Sj?Z26bzE76u5GY!e-M#i!XF<&0a+@vmtirp-c5U z!7uJPjOBZ#W}_$?hWa2}d15OOQ}o>tlpbrE<3@0gMa33kZrwT_&7l0}+MPxoUG_mgAaf2&HJ zcOM0&V4OwAlemiQK2aFL@a`}vGG$|MD+L=tp1N#dakg?h2ID9`eQpWdgdjjpEJcfu z$B`(JMnFG|`wP=9lZHvb^JvY4yc^H9%nFq~>@_Klg3fbg%*FS$+TVn!qCI40)Ut^c_UhF#)BTg8VO|wOVtwVY?7jE65W$)PryKD zAes<3KZ@Njxrz78p74vZ6?G>y zXZQUX68Z#@(W!9EL?^X7uQITlM>_#V)_vYQ4s3^NHjE8D^PA4^CfnP3IL!yV?C69u zkMu(4A8?Z>Q$YzqL$;dPO`$XZwd$niWV*%Kv=uhfFkbHZ@{mrkhAw)lMA+0m`ogCXDB>(7U@ZUJ0vBH953^u;HQ+nwZ+YG-*azmX!W!mXHjz^?el$rw z6DzY5U5m{($wNd+irvS`R2;2k z{$zzo3E+ z%cgtLqUj%JR28j%;ru+X?_oqIq=||>H1qdv44AB_3ETt43kUZNo!{$?;Xh$qV?Q)j z>ymVPY7OZXWoZS-+U?)fPLXdOw}**!1zQV3pfh+UO^0y2=0qcN$cFHkpKZ-e zKY!_EWdi781Gb7m(_-)>jH$E%wX_S3pIL_J4}a{tsuNuj0&K6}<+c)riEJ@KG=OJ+ zc8|ahHNDr}OiFkoIha`7rbhC>wlz_c8itHyL`IseK2jkD%xVu@Cf7O;eiY!ZatU^4 zP?)mN66_cE9`wc~+FvGZ^d0mIwV5liCoVe^bJ2NcslNk^%T3!U@eg-ti3EerZ&?up@P$viWkPTG3wKp@wIzX~ZCW=}aUd0`KxT``@)9!8lj3 zSo(>)budiR4gQmjuv^2hN(^wdQ6Ui!qX_!J!*1Aup=#6AQJV?5rikIRfHLoINz*H6 zh^mAjbOa9(=Kc*J$maezCl!`H-ZI!KjA_(D{4P$>^zaw%ma=bPK!JwUUs7!*=)xDiw@3|Vi(aT z0Tyr*y)hHtsl}KW7Zo;XHVQL*8{<;q+@Hh7bQLPZ`(quAE-(lE)(T;4UDZS>t6{8r z{I7STOmCiSGC7I}#kJ-82?HO0L={+)iP6&i z^RDLVj@ca9jvK_V%dLrI6JhQ=*Dj9$Esv-~gK7ni`}X|J$JKZjbRl7@Olw4tc;kb^ zr!|RF#hy(ekbOJ7(k8bjAsPe`fXD$eYXwXVA&I# zw-A=H^0E!_UgqNkPqAx!+cnrbwZBe3eHdKp5;>$PVb!%8(eJK0QauJRxq*H6>U=_k z)nNq~@$xPNHU;|9z#n83x{L4q2G|~!CzlHCO`m45UhWr8XV*EYm zZExye9mS$!UlO%#Nr&08yY6+HHY-=v{MT=;wfCnX?tO8IqS0)gLOOP$|2lP}iiiw? zGfQRu3q_%bW+ZCpgTJZinPLQt`=FG?P!?YCrK-=UvEZLd6&m1jBql_0r$JkrV#Prs z5ZOdP+w3Ye1;qdi6IUGsY24KCqmrc6q8H|&yRTlXPNSt<-uGh#66rPFDzKX;6YD{O ztRB=!YUXX1!j(Gfl(bnRy@yOQnOfhVr?ARx&j@#c&fx@xy2~Ap+rcSBMb}>G$ke~g zMFd4WjVsQ;AUY|`r&NiqIM+BAQ$Dxo0(c2Wx(Bop?@mg6U+U`=&fnkFrFUsR%bKkn zPwQKvi|QPk9hBdUZzIWI!~bu*=!XMJ`bG?xnzh#cM1)`_LOB$B2lD2k_`^*mjyJo< zpp;1{U6tP#!6ewp2^pv=FgatgTR>hPb(c%vkSa&JT)_YqPHSBts@^6h(P8QKE1l4m zc#sdNHfndxdLNvOxiEn>-OJX%);YvCZQ~C#12yJ?4jo%#Lyos2NH(LESQ6;_f}Zqx zCjFm5Pc+&@4+9r>RCB@tkXQvhp8RJtPi;-ELQvz3lx60IFdg@qxC|hM8282B@xz3D zfxj+y)~1WL%Zp4Et>|Ar)-7RJR6mZUm6{wf06C+tAruzcEJ}Q`Yi14t0=y!~-VwUo z08VWFMN-ujzUnlR7c>c4Oi>`y`(GOoJU^!i{=i^ytb1VtUu7N8N$Fd4+_;+Uw`gpQ zp)9*2Ofj}C>IQ^%hZd>`)jwq`yj(_rC1wTocK=fYoW;j&~XJ@&{Vykh)oFms^1kNr*yYsje-I5@qK2U&hv z1+<_}XIC$s9g~875o2{obp=c7Llj|2>P`uSkk{LJW*y`%bVNTQyj&qYr6 z^E$|#fXtd3>!tG*aB?w{try;Z&YsLqcnCVpa%Pe{RgpqQDxF&xue0Cm8>7zr&jO>O z$P~<(FVOZh?5W6qR?Z}@f(?OZzK&O9-b1KYro>CtOk?SO6LBW{YlZeOI%I;ogzOH@ z7|x^<$s()nCbGr|?ox#?L?)rOrodS^<}veJz^+T?(5Q$8 z+%d0_gKg}10@bfvAGz5+CItXG`syUZc%}&gELXvZe3C(%ZQOr;`!;}Z0v+qrGQHCY z*sLCGhvkI7%4dqO<;WYJDgy*K@umalZ^ zHnWifP0^$nYjpa(IPi)SW=g_xw6&gTu}c&^*=I}Tx#Q0*r?=eohb4Nk#`>sgtJVG};rj_1nF?!N0qbxnEl6 z_qehNu(9diEsIICY8IUv%aSgS$$ra}h>xNC>rYN m&YP_luy5U4aSw`-i!b3jv#Vjo@(D=am}yYWdv;9xi(77XG#OO@ literal 10324 zcmV-aD67{BB>?tKRTB=7ARqYKSue!^v8FBPuiQZHfR?}L?nJCi$85|hxj+)CPyh@) z@m+kS6a=|>GT?B0qh=)zoy*n05^k3h|87D(f11Cg9G5|`>V3V~%LA@C;!gx;gmD0& ziG#mDZfQk}@&X5@Np*^m+;!B_Bvi}ig+gUsIp@BzPH9VN_6oRkj88!r7{5UUqPH`^ zVKgWk*Qj?LTW(nhLap#gls<_E`rQtS<<($#!gcf`2;dX!#T$IjbHk~YHodmK;fAy|x1j=<$yk_y= z1s|zdgE$T&T!*ZFLDH9Z>9Rz1wDwAT@1jN)nWWRodna|w3{ezl9{k!CRBlL5N+oSR zu01z`r%|w>P?iP{39-2}5flD4L+Ezd9pAyP7deF*J$Y4jISKjU)m!`<;^=*CHWeC3 z{3St>t3ZG8+yJ!Bo)887NI*93S7GZo?Io2NTspKI6TG%}E7~z=MdrDj!ehbG5}ZPa z+oryP9*%*{?_w(U6z={;K0tRerjdH{4mA;mutf+Ps3f+Nj<`K}ulFNX#B8W`Tfr00BtKkQLGuGG`$tYsbPE+{0-4euoC4=Um#=PBk_7sVe# zH`+FQN|utf5u3HIk|MyrunD!_2#}MG*CrbY#780;NqVqd8D?WnohIAXaX6Cpep|~B zFD%HyQ^>ZQ%ah3#x4OE9$c!a>6BXAEXkc%9=n6|9ook8>Y;wXr%pRNO*HjN9$iYFA zn8=yfx0A`|VaF49L#=r4f{Oz~fCiL5$cT}xa0QPg4JD6W`w<#&GZ%H7S$At08Z#fI zOr8ZN*n_F3ljP*0*@KBF1~otPU${opoFF}WZohG>CN}Tup_ogSBP_}>u50L`BLh?| znRO9GYSUJFlNEohaMahs(^k@-6y z5sxeW?=p!i{;CLhWB7t58yLrFhQwS9GM@Upq?mV2@Ac|95}osT_Q!^Un&m?~)LT@& zKkh)0HX`ruZ;N|lM%IfF(0CL@upX8v<+kw%2?4#nwnL1xV_hT#+y^X4HG~)~Eupce zDgI;Lo!iq0F8!dGUarU47C$6tEOwzAaS=xzYp!W;s=~U>|8j+W3ki>g-Sfn^1my!H zkmS?<(8^G0F5rpRKFo*HDdj&Pi2la%rV~`N-|LP?KJkU8jk$3q1mPx}Sw9IicNxfy zejCzppvLANhkWlW$4C-$_5|VFtso=VvFlU?NX7K|1&U|=d&;=| z=FB`uj_{=s9isEyhdHhH%S=gE!RbCG-TLuwG}LK!=ZG8?|4@Kq&o7#g>6hdBMD4;% z0iSW&)P`G*-v@q{$utjm*h}}{f8a-*tz!$UOu7zdwim_(?Z8)kHqluyvd zFuT`d@VHAL45iU@idYmxY^atp;dYXN(T|LyV$>WFRw@e@l9G|z^=I(f!y99aTSFf{ z!rt^A&sHYSrUMjCdBr?POjd&$nrTXDBr$o2c5hKTK0Y?AFXDHLExZ_lv28BELitkE zWJD|1UC3?~OnlD)8n{b>%*U^Nlc~~)x_|{)cH=MPuM<976p*8-l^@k`L^3u!XuPIe zf7OHqsbZP5*K0KPQ}I3l&`UfOh3Vo@vSEmy(ei7uWNItDV-DpRm(`XWNmz8bd@ z1dci801{QVeF&DK&k&N$>4?S3#(U3umdwqYVtICrh(F!;=KRF|I1GIh z2I-DE8AeI-?dB^AHM2pMAbL3-D-LeIk3e4BgAWt#cQHr$UnPTQRTfdPgP_r+IPOyO6NX zmcyzq-QL_oX2}Dt!_>)c?%O%c0k;%C#=``b?;_*Lc2NfVBt37A4X+Kf?i8**v$YFQ1pVh{GG2YU22Z za;4sv<1Gd^CdFSLeUC?QQcH~pVcM9>)hc#W%mSiJj4%4%HSIyyFYpwY%7yZ&2+UbRC~TFt3CVd4ahN>F^gK4P z+_EWB%L$o$zOH|_-lfigg3G1rNRKHI>|lc4&$d2bUo zOZDW2nJP5&)POg!MqeVzRJTa+gur@w$u*W)Rb;lfOnU(5^RN43x3Jh4Cf zxTo?1>>(K&v%7~xhIJ5oOFEH5^718KtZ@YDpXzB^IXf~B{6?A#1POQGtsXQR>q)X8 znoPu{MpwDFqd%UR9Zu7dpd7Se=k-%$l67_P zfEGA28)K>ydJHEReCKeE*@4KrUtEs5Fhf+;UN6{A$aw1ybUPi2jlLX)xl|)vs=l21 zw3*ye1quJMRT=*oofe3bG+1ie4@42?@xv78#s3~z5JaIGty2n78|*Kxwoxoy%E{%y?@AOZaM)0{evjqSMPRMvbwG4H zm_~8v4N*c2u|X)%CJeO+AW*u)8osxbjJp$aMv>~pX-xNGnXHuI+-IX-+35e)^tS!o zDxlV1V{B6n+){RS2!GbI265ITv*PLKR09oGxVVU0=vfxC0&W7yrW{IV8v3}=rM|Rv zcYoNoo-|lOxyjdOXXURkjd6pd_GAQ?q$TFI%``&Eh%vhbEV)0VWVB#ZbL>dp&5faN_MiQj)Z* z{<3bUlhIjwBd*d*04H4uO!iplck*~}7R^$ty$D3blimxp>ZZVw-tvyjEZwFLI5@I^Vm&mSi{2oD~0NZA<=Ao`A^>(W!s&jr`^ zNqGex^mas`3eLeP#68I1PbCabecPIHdcfH58LGZ{p}RF-qqSblSL;k~m-1ZA+fd;3=xCb>3yL3Pi=o8=;K)(tPSNeeRnU1^^+JcoGBiB%m~mTJBz z5_WTPPeh8Al+3B41D`JJlFVVyT2sd0_52iD-&$iP(;@b^tMj6cLvyl{G4Vaqp=WSl z&V96h@w|AR1uw{Hz1zaCZ zt;w{#-?9HTaWRT2goI#`@!LP2ymOw{3RDq&2)(uLodn>!Y}1 zGQsObJg!e52#LC{P8Guz-A+dm&v6D+FEuTZ)=;Zv>$chE z?SqR#bi;7tG(O_kH}t&+Irs!pdguan_+&e6Jeg`FL)RFK{Tyn@} zo_TXRExiAeyOD1sFVt4vD@$IclR)ruQ^7*UhvKhc=lN+_qsbrrI7|pzs#j@lWfY|u zynYqaL976A)QT?8O6=#gZe7pX7~EHfzd1lk2w1AMEGPVT-X$j3i&+yRfMta;s0tgjJcGj@X>$fi!2<4tf$fj zaT5L&lfqn^z3ZexFgX9WgHYX$Jy~Z`-dq=7H)N$|6nZ=2gT(zKDtb_!9qlR0=hZ{~ zD4$XiUHow5p}B(6#{yUf#!1V>hgGIY;7h|)LzL}pFKf=g+#tG%Zo;<3_gaDZ>C?Lb z?Q*T*lHH>roHp~cW~Z}rOjomW;>T-3iJZPonnO!efIF>!oV)nMz@4ewht2P z2Ja4It!Dnq^sKPvUGSrNXd-4Gt>HrKu(i0FT9ET4v$;XNIim2(ij^wta_c8?6cbg$ zID7GXF@5`Ww-8!)%)c^8(bst~+X zC0r;3Le?e}FcT*c#Ec^N9;}dEyC8U?+q5Y`3jwDFE1dqUd`{@Fm`@?v16QGrZ6sKD zEu@a>Hivx684Oe(K)4q}we2C_7dvy@@u`lCnxJ=#RX2&?B%XoRAszjN>{uAU$xLTh zPPT}Ivtri-gcY6@1uzEB?@ZnyWmUp+7^eIJzB?Saqhu2DaD^7M{JYkpxt*>Y3**K+ zPXYdb9}XHLSXO%Q(e;+%n?+UHO%=Dtg+;_fxO35z?z#ktRzf9VujFgZ!`Wbidr7#s zu!GSX>HT)L(FB;qW)Ss>!Y>(5#|Q&@5~nYkLKrQy^o}UlD=_j)I;&mE=gvXi-M9ik z<~jl6$f2J*J>Wx}V|BpJ?}QuSCqQa7QzZLmQZFu82?sygtn9-BHw2MdHUAd+EDDgy z=Tuj04{i(yanGa1`%+1Mi03z63@IF@v0}4N;u|vyPqbkU0(F_;v<+VTv z#@#W!N$;#-#|zN7M0pjd@yAT1JeRcgi4aF6*0}zwjCTQ2^r&xb*^7RH$r9OJPLDL) zyk`neUbS+=3vla4Xgc9{kWQScWSaGFFnx&*Lq+IO;Off!*POE_Ha(pD;jNl>-!rG1 zZ}qnT^2^Avr|cZogwb$WnMy7?8SLBty`&D)KFnH^(Z`QP!lB|yj_qGQ4fM$8+&AAa zq#hGQ%L2yI2aquEUmdicfT1KrxJWmN&BAmia}h3#Ka8I`x=;=r3#^4hs_E;SIt%Vr z?0E7Tol~qn59s7V4w&i$967TFKO;j(1)Ogh1N;t|FQjWA+{KZ7x=C7T5caJo(sE?_ zs1$IWNW`2481A<>1HzE+c;`E9C(UFGt4;mvnLLqs+}G+&G&pdAVx+?f^AH)O>QfeK zEuc2yYR@~nU_fW`DXWEC!08h7x0yX}WYWI1RBCg+M1M{AkoT;Wkjz`*W-jVPg2>Qn zpA)E`EddJa)J(9ZMqt_%kWFaFvg`9{W-3kn%_oUxVrOT`Opk4IG@^1`q^ z8{w=;p-*79lyyh8y*;-qzgdng{TccToes2kI9PtzDxAnZ74<gbIK2g%0g=$p6?-=0;F*3;So{U_& z&F%nGONyLO+>FA(xV5&6z)H}L7vKA?7N^CDwJ_!0e&2u6MWZ<9u= z4fr)&05R_WPSgx%=+-I`VQMU`+ko664Xr zKwc&uHY>GQ?NVQ}0p>d;Fl7MJNy65&dElA8}QnET-G^d<+()q$7ri`j=Ci%x+>CQ)Tlt z@+;L8zAQIpr@P~ohs-&ykpVimpDZ$VNsdV< zgOu0IX#YU{fGZW*rF6Wn_-*dZDR?fGx~M-(%3V#LhTCWCdi(yzCQ-;TU9jyT^gLMO zy$pv;qEG8a@vx!{1G3+ap=EHI^0n*;GwYpME{6|SL%u54Jd%N8==4^8oe2K0|043P zs^u>#YA9LatL9Rqm_<(6&_4lkG$tt#NqGV>brS`QD=VnNrgSILd6%JgB_qIBI$Mr8 za9XnstY5>qB3CRzEvQ*ByJ1Gd&k)!8)8IOc`^fCU8a7l#B?deKd1~Hd^q@azkdHFT z0J6+)xOHb|<*+9X3smdu?5Z!~gzR<{yqY>HHMS}zJ)Q%ld=)7=$VNrX`_yOW6do-} zsPqxyE|5-toO7nHF%=L|KyKXoQ_Q>ZNx#B^_tR?%>&OA4nd}By6K|gaA1P&@2FQIg zcRbH&!ye%j2UQQLcO^b|S3aQdpqCsNp}FLe&l))}3lRK2le#Y=n0Ou~&IPiu&vFhT z5058EAK+(PmdAf8cGO^?P{wzf!PIsvZyr{YhZPZ2pYj=lFRMF)>^P1^=uX+ct%c{S zDfjLGJG^Te${`_E$7C{ExEZG`C?`*J2rPPbr2>Tpekf_WI1B;g0q z6Bk77ufk-pNs8b2PYN7lanh~Gh%iy(B{v(7>sh<6GzWqE&L+>T$&f`VPFR9I9$Rh( zEUv;Tn29h6KB`|~R8){EzCBZS#4pgz&HBIdA$U)nd#K-J(Kzwi!wUP5DO`cD3FXK?uQnkmxetxt7CLQmg{ z)-+h;*1|oB6C%Q&+x3jd(BPUjlAOCaxk!-M0CgYeKj*XuThQ(Nk|9s!@dTYW8+Hon zX5ZAhPue?g>8n-R7$2Bc5fv{5K9irj>_N90M1D~xe4 zG*rNBb+AG`<=`f;fcZnRQ&qIl3nYvyu->~ZAVcWJbS^9F)>dgk;QZ(ipE51Y4@ljJ z9=cdam{cDP26EG}xfX!g#{1oZ{hw{(_G2(5(Q^uD5#uq`ML;j4CD!-+bVoJJ`eGYR zFIU0(7_Ly{Ix_=6ZKeIATQNycIgszj6n+yj70{q5Kmd|veQLa& zWk2M7-K|3E;n0u8jz(D}U{Y4Yp>h-Xb>8pqzVU@Kal~$88$?gqFeF|qQNE`EVZlK( zr(C((95B}=4>i9e1*7Ke?gzKKQ1C&5x=iW^>L=K#Vuw3}F6)vhNHbjd2@yhm7^-s% zDN4)~E29u&AezN%|BT%6EWrSA5VQ%V4tWnEsx4#@xk1p4zv?%hq%sP+qG+0=?Ju#4 zpjE?cfq(7F4|NHcBAL(OWw0Z!q%o&q(@tTf`}$B~@qYvH%pD1U{$`Z5WW2F#L(#i z@|a5`&|_p6aO{Vj($)bOb8bD)A-VB;5#-wiMlXs?Un8BjiHhgL4~6E%`k42CQG+NK zxu;N>o^6wjMoONX@5H+iH#ygHEW{MBMqX^*o|0biwAt|+L=!I(YEbgXtVUdl^LgKc zW{9FLFpDI~+0-{OwBFWA&a{T_5OrNA&d!B>2KWT z6@e@l@O^gxFp986l~jjc zv=@Uo-ob*TWxq#_yJ{b_?nJJ6o`!lAh5gbxWDs3^`BymgQrCgN+{V2_4&V2_6Qa!a z+#-FBRuvY|>}}j-he~+6Ajwv|t~I5^tuc;|%mz&z?MElg?1X`0*C?BF|D1ML)pW3E zWfYIz-S8`HL_I6=hOai3bSSzdMsYR|EUFwQHHyB}qkh~m2Q7%fI<6TK-#M94T1IP1 zg%Afom0Xo5QzIghby*!1+8-21R=Dvk6G%%JF>Tl5k#*rZkMlTIcle?4?D z3D;Wq>2^Bd7Xx{i)V$+QGvW6vJ!Lbs`V03>u3b(n*&qP{RC9BgIF6Sf>IH~JS`{H4=!@qrjvYH1S*S@qsV3>#fqx$5)=I2k28 z1eKUG<$whq|ru{+^~`dMGRAD_5f6+J>xPt zAL&o>o7@myt=iB86KBMZ95n;k)w)LdKQ8z^JZ^}@t^4a@J(b;S={MPXem8O#B`GmT zF2$M$Q%5EToMB3*!TGxpXgmtATsc><&so(}KuF(HpJ}<*s(^Gb0G|Y(=BnG;sioB{ zBmkZ0pt<3UxZ|EvTDSuKDg2rMLasMj(F0aJLgdMD?OUn~XtW!E4^~zsHsVML)=ySX z(pk@GE)Rijgo-dI2FkGHw*dT(d8P`qA3|Nl$p(ag4Jal9c{g5qd8(wf|j-Y2Q&fHM@UV1vg zfWNpYH2A7?SV{mu6>71;BhcYgPSW;Jo!*GrU&SQfHELvdVRt-^S=Us|l>ROMHd!@w zy(5l@s4_I(sjUh2r`-|#%(>fVB>r|Tl&7RMNCGqx;+^_KE78-^c>ho8D`l$xcnjr|GUN`WV&~AYgxVUGyO_(>o*zA)Y)}GKAL19JcOpn zRi@AI>LuLXrr=2?%$TA73Tckc2op}lQ95oy<0IWp7Ke;@!E&6NytHeFLT)Hbd)nZG=nDvfq0WG8L98z$llNn2vF{I22kSeLJE%Cpt`o-l|2H7YFv z*y1uQs`@a~`}G33c$JK=UGvMqOmQuJHMzY)8G(t?j6#t(zO>U(LMVvgcs?V%gg3WQ2TN%U}Cw?4z`=|c?y=4EOdkc>pO`@2(8Kt1xpc50f)M%x2w zDLP)_X&;~7C!){GjTz>OUnfbs)*qJztvn1Wgv1G6?znF#7WA+$F9H5zb>6b2V*n5MxWyoV)2{2o&Jd z3Ezl!z2tQW&D_x|$Sm&8IGs7DOQ|yJ!KTuSli;rltyznemBW5fjd0jd8oa*5g>F}g z?h29kJjWzG^zSiO2&IR)*o{uDe3Mu662USW)Yw;|OvF%vUO`A-TF$3j?&jH{M7ot! z8`!S~Mf*IwLF=PuJa|yVGC(abwCIt9I!abjupX!jE$GPgW;}@?hvYVP6l<83*$;`@ z0p0@O7xvVHt!*gpMJT(MKZ0TebqLE+q%szLp#)fRl=K!voC8SIx8`pVGV=FMYvTPt zwj<#<(4Ni#0nn^3X?bpL{#i zpE$xpr?_BUue3%nzCwlvZqL{lA0Xqg#Av5DWvcp1e=%(}2X8MJ77_l_!p*N4@PrFL zK+B#8OEQ{1_=l^Aj}c9!1bl;EZ?;6zG4r4+>9wM-W#CQ9xT5Kb`!b;0f%_gvwrb%V zx;FOs@o6JM&g_Nx4Q9r41{xF2rC&9Q@3aVvtNwa+s*tUv-tdeFRV_WH$HYdM(q@0C z8Vw^4I7H>iGc#q=d6pc|b(e=b{6xR{QN5nw6ut}c+u#bQf?H?%GZB3h4RjQ`A;$un zWq^g;ozs|_dkWe9g`YOePdZ2OCqb|}cpYnvpKGyDrAw)i6f)4Q$Nc#;PV*W?IU&7{4wWe0)vG{O?Jo6^2B5~t>fdO?VuNinfg-#*yczl3y z3B&LaQ0Fq~4mrEZ@eYUG)Th2*bX@AZFy(ZEe8~c@|H&*;4xlE)*u-0vN!!RCP-g3- zrBpB38)Sy_L;th7K%UNG23@WA#?6N5IUwQl0aR*?9DI31J@kcHk1nYZd}Al0=xcUY z18rpb5jIbt3N4he^@Z~-b@JpMhBN#NkQddfFkqCz@GzSt8RsT^f#tUFtu*R5|_8gcR;#12X6 z)9#xcEtb{S-Cz-)Pu6KZHp$|b$Uk!HW!8yUfKTGsiw^!e`wwX8)5ZUZwZ07=|Kj=8 m9O!7cdvWG0EtZV)a>mKNTz~*IydwZmh0JSYD!Pn;xi>6lHVr5M