Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: defines google.auth.aws.Credentials used for AWS workloads #625

Merged
merged 16 commits into from
Oct 19, 2020
Merged

feat: defines google.auth.aws.Credentials used for AWS workloads #625

merged 16 commits into from
Oct 19, 2020

Conversation

bojeil-google
Copy link
Contributor

This will subclass the abstract class google.auth.external_account.Credentials and will compute subject tokens as follows:

  • Retrieve AWS region from either AWS_REGION envvar or AWS metadata server availability-zone.

  • Check AWS credentials in environment variables:

    • AWS_ACCESS_KEY_ID
    • AWS_SECRET_ACCESS_KEY
    • AWS_SESSION_TOKEN.

    If not found, get from AWS metadata server security-credentials endpoint.

  • Get AWS credentials from AWS metadata server security-credentials endpoint.
    In order to retrieve this, the AWS role needs to be determined by calling
    security-credentials endpoint without any argument. Then the
    credentials can be retrieved via: security-credentials/role_name

  • Generate the signed request to AWS STS GetCallerIdentity action.

  • Inject x-goog-cloud-target-resource into reformatted header and serialize the
    signed request. This will be the subject-token to pass to GCP STS.

busunkim96 and others added 15 commits September 2, 2020 14:55
@busunkim96 @tseaver
refactor: split 'with_quota_project' into separate base class (#561)
41599ae 
Co-authored-by: Tres Seaver <tseaver@palladion.com>
@arithmetic1728
fix: dummy commit to trigger a auto release (#597)
d32f7df
@release-please
chore: release 1.21.1 (#599)
892dc37 
* chore: updated CHANGELOG.md [ci skip]

* chore: updated setup.cfg [ci skip]

* chore: updated setup.py

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
@busunkim96
fix: migrate signBlob to iamcredentials.googleapis.com (#600)
694d83f 
Migrate signBlob from iam.googleapis.com to iamcredentials.googleapis.com.

This API is deprecated and will be shutdown in one year.

This is used google.auth.iam.Signer.
Added a system_test to sanity check the implementation.
@release-please
chore: release 1.21.2 (#601)
b921a0a 
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
@wescpy
fix: fix expiry for to_json() (#589)
d0e0aba 
* This patch for </issues/501> includes the following fixes:

- The access token is always set to `None`, so the fix involves using (the access) `token` from the saved JSON credentials file.
- For refresh needs, `expiry` also needs to be saved via `to_json()`.
    - DUMP: As `expiry` is a `datetime.datetime` object, serialize to `datetime.isoformat()` in the same [`oauth2client` format](https://github.com/googleapis/oauth2client/blob/master/oauth2client/client.py#L55) for consistency.
    - LOAD: Add code to restore `expiry` back to `datetime.datetime` object when imported.
    - LOAD: If `expiry` was unsaved, automatically set it as expired so refresh takes place.
- Minor `scopes` updates
    - DUMP: Add property for `scopes` so `to_json()` can grab it
    - LOAD: `scopes` may be saved as a string instead of a JSON array (Python list), so ensure it is Sequence[str] when imported.
@busunkim96
chore: add default CODEOWNERS (#609)
da3526f
@release-please
chore: release 1.21.3 (#607)
cc91e75
@crwilcox @anibadde
feat: add asyncio based auth flow (#612)
7e15258 
* feat: asyncio http request logic and asynchronous credentials logic  (#572)

Co-authored-by: Anirudh Baddepudi <43104821+anibadde@users.noreply.github.com>
@release-please
chore: release 1.22.0 (#615)
ee5617c 
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
@crwilcox
fix: move aiohttp to extra as it is currently internal surface (#619)
a924011 
Fix #618. Removes aiohttp from required dependencies to lessen dependency tree for google-auth.

This will need to be looked at again as more folks use aiohttp and once the surfaces goes to public visibility.
@release-please
chore: release 1.22.1 (#620)
7f957ba 
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
@akx
fix: remove checks for ancient versions of Cryptography (#596)
6407258 
Refs #595 (comment) 

I see no point in checking whether someone is running a version of https://github.com/pyca/cryptography/ from 2014 that doesn't even compile against modern versions of OpenSSL anymore.
@bojeil-google
Merge remote-tracking branch 'upstream/byoid'
d6bcf3b
@bojeil-google
feat: defines google.auth.aws.Credentials used for AWS workloads
b4ce15b 
This will subclass the abstract class `google.auth.external_account.Credentials` and will compute subject tokens by serializing signed requests to the AWS STS GetCallerIdentity API that can be exchanged for Google access tokens via the GCP STS endpoint.
@bojeil-google bojeil-google requested a review from a team as a code owner October 14, 2020 07:49
@google-cla
Copy link

google-cla bot commented Oct 14, 2020

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

@google-cla google-cla bot added the cla: no This human has *not* signed the Contributor License Agreement. label Oct 14, 2020
busunkim96
busunkim96 approved these changes Oct 16, 2020
View reviewed changes
google/auth/aws.py Outdated Show resolved Hide resolved
@google-cla
Copy link

google-cla bot commented Oct 17, 2020

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

@busunkim96 busunkim96 added cla: yes This human has signed the Contributor License Agreement. and removed cla: no This human has *not* signed the Contributor License Agreement. labels Oct 17, 2020
@busunkim96 busunkim96 merged commit a57aba9 into googleapis:byoid Oct 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@busunkim96 busunkim96 busunkim96 approved these changes

Assignees
No one assigned
Labels
cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@bojeil-google @busunkim96 @arithmetic1728 @wescpy @crwilcox @akx