<a href="https://colab.research.google.com/github/pankajjoshiacs/learn/blob/master/gcp/get_access_token_from_service_account.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

Prerequisites:
- Install Python Cryptography Toolkit `[pycrypto]` for using SHA256 and RSA algorithm in this case code.
- Install Python JWT Toolkit `[PyJWT]` to encode and decode JSON Web Tokens. 
- Download the Key JSON file of Service Account that needs to get the access token. This access token will be used as an OAuth in any Google APIs that Service Account has access to. If you don't have Key JSON file, you can create a key for service account. Please refer to the link (https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys) to know more.

In [0]:
!pip3 install -q pycrypto


In [0]:
!pip3 install -q PyJWT

In [0]:
import time

app_id = 'YOUR_PROJECT_ID' # Your Project ID in Google Cloud Platform
iat = time.time()
exp = iat + 3600
payload = {
  'iss': 'your_project_id@appspot.gserviceaccount.com',        # Find this value for `client_email` in the Key JSON file
  'sub': 'your_project_id@appspot.gserviceaccount.com',        # This value should be same as `iss`
  'scope': 'https://www.googleapis.com/auth/cloud-platform', # Leave as it is
  'aud': 'https://www.googleapis.com/oauth2/v4/token',       # Leave as it is    
  'iat': iat,
  'exp': exp
}
# Find this value for `private_key_id` in the Key JSON file
additional_headers = {'kid': 'private_key_file_in_json_file'}
# Find this value for `private_key` in the Key JSON file
private_key = '-----BEGIN PRIVATE KEY-----private_key_in_json_file-----END PRIVATE KEY-----\n'



In [0]:
import jwt
from jwt.contrib.algorithms.pycrypto import RSAAlgorithm

jwt.register_algorithm('RS256', RSAAlgorithm(RSAAlgorithm.SHA256))

In [13]:
signed_jwt = jwt.encode(payload, private_key, headers=additional_headers, algorithm='RS256')

print(signed_jwt)

b'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjYzOGE1YjI1MGM5Y2I3OTE2NGE2MzE0MDEyYWU1OTlmMmEwM2ZiZDUifQ.eyJpc3MiOiJlcGFtLXBhbmthampvQGFwcHNwb3QuZ3NlcnZpY2VhY2NvdW50LmNvbSIsInN1YiI6ImVwYW0tcGFua2Fqam9AYXBwc3BvdC5nc2VydmljZWFjY291bnQuY29tIiwic2NvcGUiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9hdXRoL2Nsb3VkLXBsYXRmb3JtIiwiYXVkIjoiaHR0cHM6Ly93d3cuZ29vZ2xlYXBpcy5jb20vb2F1dGgyL3Y0L3Rva2VuIiwiaWF0IjoxNTUyMzU4MzUxLjYxMzIzNzYsImV4cCI6MTU1MjM2MTk1MS42MTMyMzc2fQ.XDV7YF8bzplCZPo_1E0p-ZN6e7x8rG-4hnVLGQnoODqCNTK4wWyvperdiVBRGfnue54sv3FLO8OQlZmzeit2KZ_2pWwONBIw-oGxcQiU8vzOYdpdynhv72aWHqMPedTAk82f_ROP6epX7bS0BpNXro_012zOn7B6ckJ28sQxiCt3IBQXp7c3ZQF_LT4FibAF9ZZfBRrLEIVRePk63s_k1v5pCFGXaQKy0lApb9SJ6uAFoieXeOrL7uAAdsmrEd_039hADiardhsvmezxIZEplkbkbVdgdPTBbHPsVRuT7pB-IiUzz1erFRkYFz9simTzcF34MgbjAfEhFH-oGxzTCA'


In [14]:
decoded_signed_jwt = signed_jwt.decode("utf-8")

print(decoded_signed_jwt)

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjYzOGE1YjI1MGM5Y2I3OTE2NGE2MzE0MDEyYWU1OTlmMmEwM2ZiZDUifQ.eyJpc3MiOiJlcGFtLXBhbmthampvQGFwcHNwb3QuZ3NlcnZpY2VhY2NvdW50LmNvbSIsInN1YiI6ImVwYW0tcGFua2Fqam9AYXBwc3BvdC5nc2VydmljZWFjY291bnQuY29tIiwic2NvcGUiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9hdXRoL2Nsb3VkLXBsYXRmb3JtIiwiYXVkIjoiaHR0cHM6Ly93d3cuZ29vZ2xlYXBpcy5jb20vb2F1dGgyL3Y0L3Rva2VuIiwiaWF0IjoxNTUyMzU4MzUxLjYxMzIzNzYsImV4cCI6MTU1MjM2MTk1MS42MTMyMzc2fQ.XDV7YF8bzplCZPo_1E0p-ZN6e7x8rG-4hnVLGQnoODqCNTK4wWyvperdiVBRGfnue54sv3FLO8OQlZmzeit2KZ_2pWwONBIw-oGxcQiU8vzOYdpdynhv72aWHqMPedTAk82f_ROP6epX7bS0BpNXro_012zOn7B6ckJ28sQxiCt3IBQXp7c3ZQF_LT4FibAF9ZZfBRrLEIVRePk63s_k1v5pCFGXaQKy0lApb9SJ6uAFoieXeOrL7uAAdsmrEd_039hADiardhsvmezxIZEplkbkbVdgdPTBbHPsVRuT7pB-IiUzz1erFRkYFz9simTzcF34MgbjAfEhFH-oGxzTCA


In [0]:
import urllib.parse
import urllib.request
tokenurl = 'https://www.googleapis.com/oauth2/v4/token'
tokenreqdata = {
  'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
  'assertion': decoded_signed_jwt
}
tokenpostdata = urllib.parse.urlencode(tokenreqdata).encode("utf-8")
tokenreq = urllib.request.Request(tokenurl, tokenpostdata)
tokenreq.add_header('Content-Type', 'application/x-www-form-urlencoded')


In [0]:
from urllib.error import URLError, HTTPError

try:
  tokenresult = urllib.request.urlopen(tokenreq)
except HTTPError as e:
  logging.exception('Failed to initiate token request due to HTTP Error.')
except URLError as e:
  logging.exception('Failed to initiate token request due to URL Error.')


In [21]:
import json
json_raw = tokenresult.read()
json_str1 = json_raw.decode("utf-8")
json_str2 = json_str1.replace("'", '"')
json_str = json_str2.replace("\n", '')
tokenr = json.loads(json_str)
access_token = tokenr['access_token']
print(access_token)

ya29.c.ElrKBn7En4YmWN_XXhWc4JCHPdeXe25wgaoKH6EvgV-14GAD1raiRD49QiQqnXkAk60WWQwxQfdeluCbDy1hS1M2WQcvBFV-2OhNmL6D9wjmOzjNxApm5khoq9g
