Skip to content

Commit

Permalink
feat: Support External Account Authorized User as a Source Credential…
Browse files Browse the repository at this point in the history
… for impersonated credentials in ADC (#1608)

* feat: Support External Account Authorized User as a Source Credential for impersonated credentials in ADC

* formatting
  • Loading branch information
sai-sunder-s authored Oct 17, 2024
1 parent 484c8db commit 875796c
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 0 deletions.
4 changes: 4 additions & 0 deletions google/auth/_default.py
Original file line number Diff line number Diff line change
Expand Up @@ -472,6 +472,10 @@ def _get_impersonated_service_account_credentials(filename, info, scopes):
source_credentials, _ = _get_service_account_credentials(
filename, source_credentials_info
)
elif source_credentials_type == _EXTERNAL_ACCOUNT_AUTHORIZED_USER_TYPE:
source_credentials, _ = _get_external_account_authorized_user_credentials(
filename, source_credentials_info
)
else:
raise exceptions.InvalidType(
"source credential of type {} is not supported.".format(
Expand Down
Binary file modified system_tests/secrets.tar.enc
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"delegates": [
"[email protected]"
],
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken",
"source_credentials": {
"type": "external_account_authorized_user",
"audience": "//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID",
"refresh_token": "refreshToken",
"token_url": "https://sts.googleapis.com/v1/oauth/token",
"token_info_url": "https://sts.googleapis.com/v1/instrospect",
"client_id": "clientId",
"client_secret": "clientSecret"
},
"type": "impersonated_service_account"
}
16 changes: 16 additions & 0 deletions tests/test__default.py
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,11 @@
DATA_DIR, "impersonated_service_account_service_account_source.json"
)

IMPERSONATED_SERVICE_ACCOUNT_EXTERNAL_ACCOUNT_AUTHORIZED_USER_SOURCE_FILE = os.path.join(
DATA_DIR,
"impersonated_service_account_external_account_authorized_user_source.json",
)

EXTERNAL_ACCOUNT_AUTHORIZED_USER_FILE = os.path.join(
DATA_DIR, "external_account_authorized_user.json"
)
Expand Down Expand Up @@ -365,6 +370,17 @@ def test_load_credentials_from_file_impersonated_with_service_account_source():
assert not credentials._quota_project_id


def test_load_credentials_from_file_impersonated_with_external_account_authorized_user_source():
credentials, _ = _default.load_credentials_from_file(
IMPERSONATED_SERVICE_ACCOUNT_EXTERNAL_ACCOUNT_AUTHORIZED_USER_SOURCE_FILE
)
assert isinstance(credentials, impersonated_credentials.Credentials)
assert isinstance(
credentials._source_credentials, external_account_authorized_user.Credentials
)
assert not credentials._quota_project_id


def test_load_credentials_from_file_impersonated_passing_quota_project():
credentials, _ = _default.load_credentials_from_file(
IMPERSONATED_SERVICE_ACCOUNT_SERVICE_ACCOUNT_SOURCE_FILE,
Expand Down

0 comments on commit 875796c

Please sign in to comment.