Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings
This repository was archived by the owner on Mar 6, 2026. It is now read-only.

Commit 8dcf91a

Browse filesBrowse files
amtk3amtk3
authored
feat(iam): Support the mTLS IAM domain for Certificate based Access (#1938)
Update the IAM endpoint so that it supports the certificate based Access control
1 parent db17a64 commit 8dcf91a
Copy full SHA for 8dcf91a

1 file changed

+29-19Lines changed: 29 additions & 19 deletions

File tree

Expand file treeCollapse file tree
Open diff view settings
Filter options
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎google/auth/iam.py‎

Copy file name to clipboardExpand all lines: google/auth/iam.py
+29-19Lines changed: 29 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -22,12 +22,14 @@
2222
import base64
2323
import http.client as http_client
2424
import json
25+
import os
2526

2627
from google.auth import _exponential_backoff
2728
from google.auth import _helpers
2829
from google.auth import credentials
2930
from google.auth import crypt
3031
from google.auth import exceptions
32+
from google.auth.transport import mtls
3133

3234
IAM_RETRY_CODES = {
3335
http_client.INTERNAL_SERVER_ERROR,
@@ -38,25 +40,33 @@
3840

3941
_IAM_SCOPE = ["https://www.googleapis.com/auth/iam"]
4042

41-
_IAM_ENDPOINT = (
42-
"https://iamcredentials.googleapis.com/v1/projects/-"
43-
+ "/serviceAccounts/{}:generateAccessToken"
44-
)
45-
46-
_IAM_SIGN_ENDPOINT = (
47-
"https://iamcredentials.googleapis.com/v1/projects/-"
48-
+ "/serviceAccounts/{}:signBlob"
49-
)
50-
51-
_IAM_SIGNJWT_ENDPOINT = (
52-
"https://iamcredentials.googleapis.com/v1/projects/-"
53-
+ "/serviceAccounts/{}:signJwt"
54-
)
55-
56-
_IAM_IDTOKEN_ENDPOINT = (
57-
"https://iamcredentials.googleapis.com/v1/"
58-
+ "projects/-/serviceAccounts/{}:generateIdToken"
59-
)
43+
# 1. Determine if we should use mTLS.
44+
# Note: We only support automatic mTLS on the default googleapis.com universe.
45+
if hasattr(mtls, "should_use_client_cert"):
46+
use_client_cert = mtls.should_use_client_cert()
47+
else: # pragma: NO COVER
48+
# if unsupported, fallback to reading from env var
49+
use_client_cert = (
50+
os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false").lower() == "true"
51+
)
52+
53+
# 2. Construct the template domain using the library's DEFAULT_UNIVERSE_DOMAIN constant.
54+
# This ensures that the .replace() calls in the classes will work correctly.
55+
if use_client_cert:
56+
# We use the .mtls. prefix only for the default universe template
57+
_IAM_DOMAIN = f"iamcredentials.mtls.{credentials.DEFAULT_UNIVERSE_DOMAIN}"
58+
else:
59+
_IAM_DOMAIN = f"iamcredentials.{credentials.DEFAULT_UNIVERSE_DOMAIN}"
60+
61+
# 3. Create the common base URL template
62+
# We use double brackets {{}} so .format() can be called later for the email.
63+
_IAM_BASE_URL = f"https://{_IAM_DOMAIN}/v1/projects/-/serviceAccounts/{{}}"
64+
65+
# 4. Define the endpoints as templates
66+
_IAM_ENDPOINT = _IAM_BASE_URL + ":generateAccessToken"
67+
_IAM_SIGN_ENDPOINT = _IAM_BASE_URL + ":signBlob"
68+
_IAM_SIGNJWT_ENDPOINT = _IAM_BASE_URL + ":signJwt"
69+
_IAM_IDTOKEN_ENDPOINT = _IAM_BASE_URL + ":generateIdToken"
6070

6171

6272
class Signer(crypt.Signer):

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.