New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: workload identity federation support #698
Commits on Sep 3, 2020
-
feat: defines internal utils for OAuth client Auth and error handling (…
…#594) This defines internal utilities to handle: - OAuth client authentication - Standard OAuth error response parsing into OAuthError exception.
Configuration menu - View commit details
-
Copy full SHA for 57f9922 - Browse repository at this point
Copy the full SHA 57f9922View commit details
Commits on Sep 10, 2020
-
feat: implements the OAuth token exchange spec based on rfc8693 (#598)
* refactor: split 'with_quota_project' into separate base class (#561) * feat: implements the OAuth token exchange spec based on rfc8693
Configuration menu - View commit details
-
Copy full SHA for 1b45700 - Browse repository at this point
Copy the full SHA 1b45700View commit details
Commits on Sep 14, 2020
-
feat: defines
google.auth.external_account.Credentials
abstract cla……ss for external_account credentials (#603)
Configuration menu - View commit details
-
Copy full SHA for 86ee2aa - Browse repository at this point
Copy the full SHA 86ee2aaView commit details
Commits on Sep 18, 2020
-
feat: adds service account impersonation to `google.auth.external_acc…
…ount.Credentials` (#605) If the `service_account_impersonation_url` is provided, an additional step to exchange the external account GCP access token for a service account impersonated token is performed. This is needed because many Google Cloud services do not yet support external account GCP access tokens. In order to support service account impersonations, we depend on `google.auth.impersonated_credentials.Credentials` which has been extended to accept an override of the IAM `GenerateAccessToken endpoint`. This is useful when supporting impersonation with regional endpoints.
Configuration menu - View commit details
-
Copy full SHA for 283241f - Browse repository at this point
Copy the full SHA 283241fView commit details
Commits on Sep 29, 2020
-
Syncs the BYOID branch to master. No additional changes added.
Configuration menu - View commit details
-
Copy full SHA for 1b6dbdd - Browse repository at this point
Copy the full SHA 1b6dbddView commit details
Commits on Oct 1, 2020
-
feat: defines
google.auth.identity_pool.Credentials
used for K8s an……d Azure workloads (#617)
Configuration menu - View commit details
-
Copy full SHA for 1b4ad67 - Browse repository at this point
Copy the full SHA 1b4ad67View commit details
Commits on Oct 9, 2020
-
feat: implements AWS signature version 4 for signing requests (#622)
Implements the AWS signature version 4 for signing requests based on: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html It will be used to generate signed requests to AWS GetCallerIdentity API. https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html This API is used to securely return details about the IAM user or role whose credentials are used to call the operation. The majority of the test cases are using the AWS SDK test fixtures.
Configuration menu - View commit details
-
Copy full SHA for 6477a8b - Browse repository at this point
Copy the full SHA 6477a8bView commit details
Commits on Oct 19, 2020
-
feat: defines
google.auth.aws.Credentials
used for AWS workloads (#625) This will subclass the abstract class `google.auth.external_account.Credentials` and will compute subject tokens as follows: - Retrieve AWS region from either `AWS_REGION` envvar or AWS metadata server `availability-zone`. - Check AWS credentials in environment variables: - `AWS_ACCESS_KEY_ID` - `AWS_SECRET_ACCESS_KEY` - `AWS_SESSION_TOKEN`. If not found, get from AWS metadata server `security-credentials` endpoint. - Get AWS credentials from AWS metadata server `security-credentials` endpoint. In order to retrieve this, the AWS role needs to be determined by calling `security-credentials` endpoint without any argument. Then the credentials can be retrieved via: `security-credentials/role_name` - Generate the signed request to AWS STS `GetCallerIdentity` action. - Inject `x-goog-cloud-target-resource` into reformatted header and serialize the signed request. This will be the subject-token to pass to GCP STS.
Configuration menu - View commit details
-
Copy full SHA for a57aba9 - Browse repository at this point
Copy the full SHA a57aba9View commit details
Commits on Oct 22, 2020
-
* refactor: split 'with_quota_project' into separate base class (#561) Co-authored-by: Tres Seaver <tseaver@palladion.com> * fix: dummy commit to trigger a auto release (#597) * chore: release 1.21.1 (#599) * chore: updated CHANGELOG.md [ci skip] * chore: updated setup.cfg [ci skip] * chore: updated setup.py Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> * fix: migrate signBlob to iamcredentials.googleapis.com (#600) Migrate signBlob from iam.googleapis.com to iamcredentials.googleapis.com. This API is deprecated and will be shutdown in one year. This is used google.auth.iam.Signer. Added a system_test to sanity check the implementation. * chore: release 1.21.2 (#601) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> * fix: fix expiry for `to_json()` (#589) * This patch for </issues/501> includes the following fixes: - The access token is always set to `None`, so the fix involves using (the access) `token` from the saved JSON credentials file. - For refresh needs, `expiry` also needs to be saved via `to_json()`. - DUMP: As `expiry` is a `datetime.datetime` object, serialize to `datetime.isoformat()` in the same [`oauth2client` format](https://github.com/googleapis/oauth2client/blob/master/oauth2client/client.py#L55) for consistency. - LOAD: Add code to restore `expiry` back to `datetime.datetime` object when imported. - LOAD: If `expiry` was unsaved, automatically set it as expired so refresh takes place. - Minor `scopes` updates - DUMP: Add property for `scopes` so `to_json()` can grab it - LOAD: `scopes` may be saved as a string instead of a JSON array (Python list), so ensure it is Sequence[str] when imported. * chore: add default CODEOWNERS (#609) * chore: release 1.21.3 (#607) * feat: add asyncio based auth flow (#612) * feat: asyncio http request logic and asynchronous credentials logic (#572) Co-authored-by: Anirudh Baddepudi <43104821+anibadde@users.noreply.github.com> * chore: release 1.22.0 (#615) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> * fix: move aiohttp to extra as it is currently internal surface (#619) Fix #618. Removes aiohttp from required dependencies to lessen dependency tree for google-auth. This will need to be looked at again as more folks use aiohttp and once the surfaces goes to public visibility. * chore: release 1.22.1 (#620) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> * fix: remove checks for ancient versions of Cryptography (#596) Refs #595 (comment) I see no point in checking whether someone is running a version of https://github.com/pyca/cryptography/ from 2014 that doesn't even compile against modern versions of OpenSSL anymore. * chore: sync to master Syncs to master. Fixes broken unit tests in Python 3.6 and 3.7. Aligns test_identity_pool.py with test_aws.py. Co-authored-by: Bu Sun Kim <8822365+busunkim96@users.noreply.github.com> Co-authored-by: Tres Seaver <tseaver@palladion.com> Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com> Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: wesley chun <wescpy@gmail.com> Co-authored-by: Christopher Wilcox <crwilcox@google.com> Co-authored-by: Anirudh Baddepudi <43104821+anibadde@users.noreply.github.com> Co-authored-by: Aarni Koskela <akx@iki.fi>
Configuration menu - View commit details
-
Copy full SHA for cae69d5 - Browse repository at this point
Copy the full SHA cae69d5View commit details
Commits on Oct 27, 2020
-
feat: implement
get_project_id()
for google.auth.external_account.C……redentials (#631) This is introduced to support the current pattern of using the Auth library: `credentials, project_id = google.auth.default()` This will be added to the project ID determination logic: https://github.com/googleapis/google-auth-library-python/blob/3b3172ef94c110c81a49bc160123e8ff55141e65/google/auth/_default.py#L338 This will first determine the project number from the STS audience: `//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/...` It will then call cloud resource manager to determine the project information: https://cloudresourcemanager.googleapis.com/v1/projects/$PROJECT_NUMBER This may fail for the following reasons: - The resource may not have permission (resourcemanager.projects.get) to call this API - Required scopes may not be selected: https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes To reduce cost of this API, we will fail quickly and not retry and we will use scopes provided as is.
Configuration menu - View commit details
-
Copy full SHA for c1e6dc8 - Browse repository at this point
Copy the full SHA c1e6dc8View commit details
Commits on Oct 30, 2020
-
feat: Support external_accounts in
google.auth.default()
& `google.……auth.load_credentials_from_file()` (#635) - Adds implicit ADC support for external account credentials via `google.auth.default()`. - Adds explicit support for external account credentials via `google.auth.load_credentials_from_file()`. - Adds optional `google.auth.transport.Request` argument to `load_credentials_from_file` to facilitate retrieval of workload identity pool project ID if determinable. This follows a similar pattern set by `_get_gce_credentials` method. - Related comprehensive unit tests have been added to only the public methods (`default()` and `load_credentials_from_file()`). - Updated constructor invalid argument exceptions for `google.auth.identity_pool.Credentials` and `google.auth.aws.Credentials` to be `ValueError` instead of `exceptions.GoogleAuthError`. This aligns these credentials with service account credentials behavior.
Configuration menu - View commit details
-
Copy full SHA for 7db0738 - Browse repository at this point
Copy the full SHA 7db0738View commit details
Commits on Nov 17, 2020
-
Configuration menu - View commit details
-
Copy full SHA for 281b612 - Browse repository at this point
Copy the full SHA 281b612View commit details
Commits on Dec 11, 2020
-
Configuration menu - View commit details
-
Copy full SHA for 2bd9e83 - Browse repository at this point
Copy the full SHA 2bd9e83View commit details
Commits on Jan 8, 2021
-
Configuration menu - View commit details
-
Copy full SHA for 079c215 - Browse repository at this point
Copy the full SHA 079c215View commit details
Commits on Feb 3, 2021
-
Configuration menu - View commit details
-
Copy full SHA for 50dbd28 - Browse repository at this point
Copy the full SHA 50dbd28View commit details
Commits on Feb 4, 2021
-
Configuration menu - View commit details
-
Copy full SHA for 6001295 - Browse repository at this point
Copy the full SHA 6001295View commit details
Commits on Feb 5, 2021
-
Configuration menu - View commit details
-
Copy full SHA for 829c299 - Browse repository at this point
Copy the full SHA 829c299View commit details -
Configuration menu - View commit details
-
Copy full SHA for 69940f4 - Browse repository at this point
Copy the full SHA 69940f4View commit details
Commits on Feb 11, 2021
-
fix: Fixes
google.auth.default()
passing scopes to authorized user ……creds Reverted changes in `google.auth.default()` logic introduced in external account creds. `_get_explicit_environ_credentials` is called with no arguments as previously done. Instead after the credential is returned via `with_scopes_if_required()`, we try to get project ID if the credential has a `get_project_id` method and if the project ID is not yet been determined. This is a safer change while still keeping the logic to determine project ID for external credentials.
Configuration menu - View commit details
-
Copy full SHA for dfa3739 - Browse repository at this point
Copy the full SHA dfa3739View commit details
Commits on Feb 12, 2021
-
Configuration menu - View commit details
-
Copy full SHA for 93bae9a - Browse repository at this point
Copy the full SHA 93bae9aView commit details
Commits on Feb 16, 2021
-
Configuration menu - View commit details
-
Copy full SHA for e7e0ab5 - Browse repository at this point
Copy the full SHA e7e0ab5View commit details -
Configuration menu - View commit details
-
Copy full SHA for 90a7f80 - Browse repository at this point
Copy the full SHA 90a7f80View commit details