Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

feat: Support external_accounts in google.auth.default() & google.auth.load_credentials_from_file() #635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Oct 30, 2020
Merged

feat: Support external_accounts in google.auth.default() & google.auth.load_credentials_from_file() #635

merged 18 commits into from
Oct 30, 2020

Conversation

bojeil-google
Copy link
Contributor

  • Adds implicit ADC support for external account credentials via google.auth.default().
  • Adds explicit support for external account credentials via google.auth.load_credentials_from_file().
  • Adds optional google.auth.transport.Request argument to load_credentials_from_file to facilitate retrieval of workload identity pool project ID if determinable. This follows a similar pattern set by _get_gce_credentials method.
  • Related comprehensive unit tests have been added to only the public methods (default() and load_credentials_from_file()).
  • Updated constructor invalid argument exceptions for google.auth.identity_pool.Credentials and google.auth.aws.Credentials to be ValueError instead of exceptions.GoogleAuthError. This aligns these credentials with service account credentials behavior.

busunkim96 and others added 18 commits September 2, 2020 14:55
@busunkim96 @tseaver
refactor: split 'with_quota_project' into separate base class (#561)
41599ae 
Co-authored-by: Tres Seaver <tseaver@palladion.com>
@arithmetic1728
fix: dummy commit to trigger a auto release (#597)
d32f7df
@release-please
chore: release 1.21.1 (#599)
892dc37 
* chore: updated CHANGELOG.md [ci skip]

* chore: updated setup.cfg [ci skip]

* chore: updated setup.py

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
@busunkim96
fix: migrate signBlob to iamcredentials.googleapis.com (#600)
694d83f 
Migrate signBlob from iam.googleapis.com to iamcredentials.googleapis.com.

This API is deprecated and will be shutdown in one year.

This is used google.auth.iam.Signer.
Added a system_test to sanity check the implementation.
@release-please
chore: release 1.21.2 (#601)
b921a0a 
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
@wescpy
fix: fix expiry for to_json() (#589)
d0e0aba 
* This patch for </issues/501> includes the following fixes:

- The access token is always set to `None`, so the fix involves using (the access) `token` from the saved JSON credentials file.
- For refresh needs, `expiry` also needs to be saved via `to_json()`.
    - DUMP: As `expiry` is a `datetime.datetime` object, serialize to `datetime.isoformat()` in the same [`oauth2client` format](https://github.com/googleapis/oauth2client/blob/master/oauth2client/client.py#L55) for consistency.
    - LOAD: Add code to restore `expiry` back to `datetime.datetime` object when imported.
    - LOAD: If `expiry` was unsaved, automatically set it as expired so refresh takes place.
- Minor `scopes` updates
    - DUMP: Add property for `scopes` so `to_json()` can grab it
    - LOAD: `scopes` may be saved as a string instead of a JSON array (Python list), so ensure it is Sequence[str] when imported.
@busunkim96
chore: add default CODEOWNERS (#609)
da3526f
@release-please
chore: release 1.21.3 (#607)
cc91e75
@crwilcox @anibadde
feat: add asyncio based auth flow (#612)
7e15258 
* feat: asyncio http request logic and asynchronous credentials logic  (#572)

Co-authored-by: Anirudh Baddepudi <43104821+anibadde@users.noreply.github.com>
@release-please
chore: release 1.22.0 (#615)
ee5617c 
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
@crwilcox
fix: move aiohttp to extra as it is currently internal surface (#619)
a924011 
Fix #618. Removes aiohttp from required dependencies to lessen dependency tree for google-auth.

This will need to be looked at again as more folks use aiohttp and once the surfaces goes to public visibility.
@release-please
chore: release 1.22.1 (#620)
7f957ba 
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
@akx
fix: remove checks for ancient versions of Cryptography (#596)
6407258 
Refs #595 (comment) 

I see no point in checking whether someone is running a version of https://github.com/pyca/cryptography/ from 2014 that doesn't even compile against modern versions of OpenSSL anymore.
@tseaver
tests: fix unit tests on python 3.6 / 3.7 (#630)
3b3172e
@davidwtbuxton
Change metadata service helper to work with any query parameters (#588)
5906c85 
Part of #579 

This helper is used with '?recursive=true' in one place, and can now be used by
IDTokenCredentials for requests with query parameters to the metadata identity
end-point.

This change will allow making requests to the token end-point with '?scopes=..'
query parameters.
@tseaver
fix: pin 'aoihttp < 3.7.0dev' (#634)
05f9524 
Working around breaking change in 3.7.0.  See:

pnuckowski/aioresponses#173
@bojeil-google
Merge remote-tracking branch 'upstream/byoid'
8f1b836
@bojeil-google
feat: Support external_accounts in google.auth.default() & `google.…
229e166 
…auth.load_credentials_from_file()`

- Adds implicit ADC support for external account credentials via `google.auth.default()`.
- Adds explicit support for external account credentials via `google.auth.load_credentials_from_file()`.
- Adds optional `google.auth.transport.Request` argument to `load_credentials_from_file` to facilitate retrieval of workload identity pool project ID if determinable. This follows a similar pattern set by `_get_gce_credentials` method.
- Related comprehensive unit tests have been added to only the public methods (`default()` and `load_credentials_from_file()`).
- Updated constructor invalid argument exceptions for `google.auth.identity_pool.Credentials` and `google.auth.aws.Credentials` to be `ValueError` instead of `exceptions.GoogleAuthError`. This aligns these credentials with service account credentials behavior.
@bojeil-google bojeil-google requested a review from a team as a code owner October 28, 2020 05:11
@google-cla
Copy link

google-cla bot commented Oct 28, 2020

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

@google-cla google-cla bot added the cla: no This human has *not* signed the Contributor License Agreement. label Oct 28, 2020
@tseaver
Copy link
Contributor

tseaver commented Oct 28, 2020

@bojeil-google Please rebase your branch against the current byoid tip to get rid of the extraneous commits. AFAICT, the last commit is the only one germane to this PR.

@bojeil-google
Copy link
Contributor Author

@bojeil-google Please rebase your branch against the current byoid tip to get rid of the extraneous commits. AFAICT, the last commit is the only one germane to this PR.

Hey @tseaver, I tried to rebase last time but I am unable to get rid of these commits. My changes are currently targeting the temporary byoid branch and not master. If my understanding is correct, I think these should not show up when we do the final PR to land into master, so it probably doesn't matter that much at the moment.

@busunkim96 busunkim96 added cla: yes This human has signed the Contributor License Agreement. and removed cla: no This human has *not* signed the Contributor License Agreement. labels Oct 30, 2020
@busunkim96 busunkim96 merged commit 7db0738 into googleapis:byoid Oct 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@busunkim96 busunkim96 busunkim96 approved these changes

Assignees
No one assigned
Labels
cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@bojeil-google @tseaver @busunkim96 @arithmetic1728 @wescpy @crwilcox @akx @davidwtbuxton
Morty Proxy This is a proxified and sanitized view of the page, visit original site.