feat: defines google.auth.identity_pool.Credentials used for K8s and Azure workloads#617
Merged
busunkim96 merged 12 commits intogoogleapis:byoidfrom Oct 1, 2020
bojeil-google:identity-pool-credentials
Merged
feat: defines google.auth.identity_pool.Credentials used for K8s and Azure workloads#617busunkim96 merged 12 commits intogoogleapis:byoidfrom bojeil-google:identity-pool-credentials
google.auth.identity_pool.Credentials used for K8s and Azure workloads#617busunkim96 merged 12 commits intogoogleapis:byoidfrom
bojeil-google:identity-pool-credentials
Conversation
Co-authored-by: Tres Seaver <tseaver@palladion.com>
* chore: updated CHANGELOG.md [ci skip] * chore: updated setup.cfg [ci skip] * chore: updated setup.py Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Migrate signBlob from iam.googleapis.com to iamcredentials.googleapis.com. This API is deprecated and will be shutdown in one year. This is used google.auth.iam.Signer. Added a system_test to sanity check the implementation.
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
* This patch for </issues/501> includes the following fixes: - The access token is always set to `None`, so the fix involves using (the access) `token` from the saved JSON credentials file. - For refresh needs, `expiry` also needs to be saved via `to_json()`. - DUMP: As `expiry` is a `datetime.datetime` object, serialize to `datetime.isoformat()` in the same [`oauth2client` format](https://github.com/googleapis/oauth2client/blob/master/oauth2client/client.py#L55) for consistency. - LOAD: Add code to restore `expiry` back to `datetime.datetime` object when imported. - LOAD: If `expiry` was unsaved, automatically set it as expired so refresh takes place. - Minor `scopes` updates - DUMP: Add property for `scopes` so `to_json()` can grab it - LOAD: `scopes` may be saved as a string instead of a JSON array (Python list), so ensure it is Sequence[str] when imported.
* feat: asyncio http request logic and asynchronous credentials logic (#572) Co-authored-by: Anirudh Baddepudi <43104821+anibadde@users.noreply.github.com>
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
…d Azure workloads This will subclass the abstract class `google.auth.external_account.Credentials` and will retrieve subject tokens from URLs (eg Azure Instance Metadata Service) or a file location (K8s KSA tokens). The current change only covers file-sourced credentials. URL-sourced credentials will be covered in a follow up.
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
busunkim96
reviewed
Sep 30, 2020
busunkim96
approved these changes
Oct 1, 2020
Contributor
|
CLA was raising error on commits already in master with a signed CLA. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This will subclass the abstract class
google.auth.external_account.Credentialsand will retrieve subject tokens from URLs (eg Azure Instance Metadata Service) or a file location (K8s KSA tokens).The current change only covers file-sourced credentials. URL-sourced credentials will be covered in a follow up.
The spec has been extended to support generic formats for
google.auth.identity_pool.Credentials(json and text).When
textformat is specified, the raw file content is used as the subject token.When
jsonformat is specified, the file content is parsed as json and the field with keysubject_token_field_nameis used to retrieve the subject token.The current implementation deviates from the original design doc in that it separates IdentityPoolCredentials into its separate module
google.auth.identity_pool.Credentialsinstead ofgoogle.auth.external_account.IdentityPoolCredentials. This is a better match for the current pattern in the repo.