Skip to content
This repository has been archived by the owner on Jul 24, 2024. It is now read-only.

loicsikidi/google-auth-plugins-library-python

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
.github
.github
 
 
google_auth_plugins
google_auth_plugins
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

Google Auth Plugins Python Library

CI PyPI version

This library (built on top of Google's official SDK) aims to provide features not implemented by the standard library for whatever reason.

Common reason is that the latter is not a priority in the SDK's roadmap.

⚠️ This project doesn't want or plan to replace the official SDK but rather to be a space for experimentation providing beta features (because security doesn't have to wait).

I hope that the features available in this repo will be integrated in the official library for the common good.

Index

Main difference with google-auth

For security reasons, this project will always drop support for a python version as soon as security support ends.

As an example, the version 2.16.1 of google-auth launched on 2023-02-17 still supports python3.61.

Installation

google-auth-plugins requires Python 3.7 or newer, and can be installed directly via pip:

python3 -m venv venv && source venv/bin/activate
python -m pip install google-auth-plugins

Usage

Domain-wide delegation credentials

A bit of context

As stated in this issue currently it's not possible to produce a delegated credentials via an impersonated identity.

To put it another way, today the only way to obtain those credentials is with a service account key 🤯.

Given the importance of this kind of service accounts it seems relevant to limit as much as possible long-term credentials in order to protect against leaks.

Domain-wide delegation credentials allows that.

Please find below an example:

import google.auth
from google_auth_plugins import dwd_credentials

target_scopes = ['https://www.googleapis.com/auth/calendar.readonly']
subject = "john.doe@pamplemousse.com"

# The impersonated service account must grant `Service Account Token Creator` to the identity represented by source_credentials
source_credentials, _ = google.auth.default()

delegated_credentials = dwd_credentials.Credentials(
  subject=subject,
  source_credentials=source_credentials,
  target_principal='dwd-impersonated-account@_project_.iam.gserviceaccount.com',
  target_scopes = target_scopes,
)

Alternatively, if source_credentials is the service account with domain-wide delegation, you can skip target_principal definition.

source_credentials, _ = google.auth.default()

delegated_credentials = dwd_credentials.Credentials(
  subject=subject,
  source_credentials=source_credentials,
  target_scopes = target_scopes,
)

Finally, you can switch delegated credentials as defined below:

alice_delegated_creds = dwd_credentials.Credentials(
  subject="alice@example.com",
  source_credentials=source_credentials,
  target_scopes = target_scopes,
)

bob_delegated_creds = alice_delegated_creds.with_subject("bob@example.com")

Note: this module is heavily inspired by Johannes Passing blog post 🚀.

Tests

make test

Footnotes

  1. https://devguide.python.org/versions/

About

A set of custom plugins on top of google-auth Python APIs

Resources

Readme

License

Apache-2.0 license
Activity

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

1.0.1 (2023-03-30) Latest
Mar 30, 2023
+ 1 release

Packages

No packages published

Contributors 2

  •  
  •  

Languages