Python equivalent for gcloud auth print-identity-token command

About

Asked 12/11, 2022 at 8:35 Answered 8/5, 2024 at 9:37

Solved python google-cloud-platform gcloud

The gcloud auth print-identity-token command prints an identity token for the specified account.

$(gcloud auth print-identity-token \
        --audiences=https://example.com \
        --impersonate-service-account [email protected] \
        --include-email)

How do I do the same using Python?

Banking answered 12/11, 2022 at 8:35 Comment(1)

Is impersonation can be done outside the code? – Phore 12/11, 2022 at 16:10

Here a code sample (not so easy and well documented)

import google.auth.transport.requests
from google.auth.impersonated_credentials import IDTokenCredentials
SCOPES = ['https://www.googleapis.com/auth/cloud-platform']

request = google.auth.transport.requests.Request()

audience = 'my_audience'

creds, _ = google.auth.default(scopes=SCOPES)
icreds = google.auth.impersonated_credentials.Credentials(
        source_credentials=creds,
        target_principal="SA TO IMPERSONATE",
        target_scopes=SCOPES)

id = IDTokenCredentials(icreds, target_audience=audience,include_email=True)
id.refresh(request)
print(id.token)

Phore answered 12/11, 2022 at 19:45 Comment(8)

What if I want to use the default credentials instead? I'm running this piece of code in a Cloud Function which already uses this SA at runtime, so I get the credentials as the default ones. If I refresh the default creds and feed them to the IDTokenCredentials class, I get a Provided Credential must be impersonated_credentials error. How could I get this JWT from the default credentials? – Wifeless 25/4, 2023 at 11:34

Did you try to use creds instead of icreds in that line id = IDTokenCredentials(icreds,... – Phore 25/4, 2023 at 12:9

Yes, that was when the Provided Credential must be impersonated_credentials error message showed – Wifeless 25/4, 2023 at 12:40

I found this documentation explaining how to use the metadata server for that particular use case. Maybe it's useful for more people, so I will leave it here – Wifeless 25/4, 2023 at 14:50

Yes but.... I'm worried about that "explicit use of compute engine class". The standard libraries should detect automatically the runtime environment (especially if the metadata server is present, which mean you are on Google Cloud environment) and the IDCredential object creation should works out of the box.. Personally I consider that as a bug in the library. – Phore 25/4, 2023 at 16:42

I guess it doesn't work because we are using the IDTokenCredentials object of the impersonated_credentials module, while we are not using a impersonated credentials but the application default ones. Are you aware if it exists a different IDTokenCredentials for a non impersonated credentials? I also tried to use the token got after refreshing the default creds, but that's an access token instead of a JWT – Wifeless 26/4, 2023 at 9:24

My bad, if you want to fetch ID token without impersonation, simply use fetch_id_token googleapis.dev/python/google-auth/1.14.0/reference/… – Phore 26/4, 2023 at 13:39

Wow, that was easy! Thanks for sharing, I was not able to find that function – Wifeless 28/4, 2023 at 15:44

Much more simple.

import os
token = os.system("gcloud auth print-identity-token")

Stacystadholder answered 8/5, 2024 at 9:37 Comment(1)

As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center. – Lederhosen 8/5, 2024 at 20:55

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags