Python google.auth() Examples

The following are code examples for showing how to use google.auth(). They are from open source Python projects. You can vote up the examples you like or vote down the ones you don't like.

Example 1
Project: bigquerylayers   Author: smandaric   File: _default.py    GNU General Public License v3.0 6 votes vote down vote up
def _get_gcloud_sdk_credentials():
    """Gets the credentials and project ID from the Cloud SDK."""
    from google.auth import _cloud_sdk

    # Check if application default credentials exist.
    credentials_filename = (
        _cloud_sdk.get_application_default_credentials_path())

    if not os.path.isfile(credentials_filename):
        return None, None

    credentials, project_id = _load_credentials_from_file(
        credentials_filename)

    if not project_id:
        project_id = _cloud_sdk.get_project_id()

    return credentials, project_id 
Example 2
Project: ansible_collections_google   Author: ansible-collections   File: gcp_utils.py    GNU General Public License v3.0 6 votes vote down vote up
def _validate(self):
        if not HAS_REQUESTS:
            self.module.fail_json(msg="Please install the requests library")

        if not HAS_GOOGLE_LIBRARIES:
            self.module.fail_json(msg="Please install the google-auth library")

        if self.module.params.get('service_account_email') is not None and self.module.params['auth_kind'] != 'machineaccount':
            self.module.fail_json(
                msg="Service Account Email only works with Machine Account-based authentication"
            )

        if (self.module.params.get('service_account_file') is not None or
                self.module.params.get('service_account_contents') is not None) and self.module.params['auth_kind'] != 'serviceaccount':
            self.module.fail_json(
                msg="Service Account File only works with Service Account-based authentication"
            ) 
Example 3
Project: ansible_collections_google   Author: ansible-collections   File: gcp_utils.py    GNU General Public License v3.0 6 votes vote down vote up
def _credentials(self):
        cred_type = self.module.params['auth_kind']
        if cred_type == 'application':
            credentials, project_id = google.auth.default(scopes=self.module.params['scopes'])
            return credentials
        elif cred_type == 'serviceaccount' and self.module.params.get('service_account_file'):
            path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file']))
            return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes'])
        elif cred_type == 'serviceaccount' and self.module.params.get('service_account_contents'):
            try:
                cred = json.loads(self.module.params.get('service_account_contents'))
            except json.decoder.JSONDecodeError as e:
                self.module.fail_json(
                    msg="Unable to decode service_account_contents as JSON"
                )
            return service_account.Credentials.from_service_account_info(cred).with_scopes(self.module.params['scopes'])
        elif cred_type == 'machineaccount':
            return google.auth.compute_engine.Credentials(
                self.module.params['service_account_email'])
        else:
            self.module.fail_json(msg="Credential type '%s' not implemented" % cred_type) 
Example 4
Project: dsub   Author: DataBiosphere   File: google_base.py    Apache License 2.0 6 votes vote down vote up
def retry_auth_check(exception, verbose):
  """Specific check for auth error codes.

  Return True if we should retry.

  False otherwise.
  Args:
    exception: An exception to test for transience.
    verbose: If true, output retry messages

  Returns:
    True if we should retry. False otherwise.
  """
  if isinstance(exception, googleapiclient.errors.HttpError):
    if exception.resp.status in HTTP_AUTH_ERROR_CODES:
      _print_retry_error(exception, verbose)
      return True

  return False 
Example 5
Project: dsub   Author: DataBiosphere   File: google_base.py    Apache License 2.0 6 votes vote down vote up
def setup_service(api_name, api_version, credentials=None):
  """Configures genomics API client.

  Args:
    api_name: Name of the Google API (for example: "genomics")
    api_version: Version of the API (for example: "v2alpha1")
    credentials: Credentials to be used for the gcloud API calls.

  Returns:
    A configured Google Genomics API client with appropriate credentials.
  """
  # dsub is not a server application, so it is ok to filter this warning.
  warnings.filterwarnings(
      'ignore', 'Your application has authenticated using end user credentials')
  if not credentials:
    credentials, _ = google.auth.default()
  return googleapiclient.discovery.build(
      api_name, api_version, credentials=credentials) 
Example 6
Project: open-recipe   Author: dspray95   File: _default.py    The Unlicense 6 votes vote down vote up
def _get_gcloud_sdk_credentials():
    """Gets the credentials and project ID from the Cloud SDK."""
    from google.auth import _cloud_sdk

    # Check if application default credentials exist.
    credentials_filename = (
        _cloud_sdk.get_application_default_credentials_path())

    if not os.path.isfile(credentials_filename):
        return None, None

    credentials, project_id = _load_credentials_from_file(
        credentials_filename)

    if not project_id:
        project_id = _cloud_sdk.get_project_id()

    return credentials, project_id 
Example 7
Project: airflow   Author: apache   File: test_base.py    Apache License 2.0 6 votes vote down vote up
def test_default_creds_with_scopes(self):
        self.instance.extras = {
            'extra__google_cloud_platform__project': default_project,
            'extra__google_cloud_platform__scope': (
                ','.join(
                    (
                        'https://www.googleapis.com/auth/bigquery',
                        'https://www.googleapis.com/auth/devstorage.read_only',
                    )
                )
            ),
        }

        credentials = self.instance._get_credentials()

        if not hasattr(credentials, 'scopes') or credentials.scopes is None:
            # Some default credentials don't have any scopes associated with
            # them, and that's okay.
            return

        scopes = credentials.scopes
        self.assertIn('https://www.googleapis.com/auth/bigquery', scopes)
        self.assertIn(
            'https://www.googleapis.com/auth/devstorage.read_only', scopes) 
Example 8
Project: airflow   Author: apache   File: test_base.py    Apache License 2.0 6 votes vote down vote up
def test_provided_scopes(self):
        self.instance.extras = {
            'extra__google_cloud_platform__project': default_project,
            'extra__google_cloud_platform__scope': (
                ','.join(
                    (
                        'https://www.googleapis.com/auth/bigquery',
                        'https://www.googleapis.com/auth/devstorage.read_only',
                    )
                )
            ),
        }

        self.assertEqual(
            self.instance.scopes,
            [
                'https://www.googleapis.com/auth/bigquery',
                'https://www.googleapis.com/auth/devstorage.read_only',
            ],
        ) 
Example 9
Project: Emotion-Evaluator   Author: Attriumph   File: _default.py    MIT License 6 votes vote down vote up
def _get_gcloud_sdk_credentials():
    """Gets the credentials and project ID from the Cloud SDK."""
    from google.auth import _cloud_sdk

    # Check if application default credentials exist.
    credentials_filename = (
        _cloud_sdk.get_application_default_credentials_path())

    if not os.path.isfile(credentials_filename):
        return None, None

    credentials, project_id = _load_credentials_from_file(
        credentials_filename)

    if not project_id:
        project_id = _cloud_sdk.get_project_id()

    return credentials, project_id 
Example 10
Project: Emotion-Evaluator   Author: Attriumph   File: _default.py    MIT License 6 votes vote down vote up
def _get_gce_credentials(request=None):
    """Gets credentials and project ID from the GCE Metadata Service."""
    # Ping requires a transport, but we want application default credentials
    # to require no arguments. So, we'll use the _http_client transport which
    # uses http.client. This is only acceptable because the metadata server
    # doesn't do SSL and never requires proxies.
    from google.auth import compute_engine
    from google.auth.compute_engine import _metadata

    if request is None:
        request = google.auth.transport._http_client.Request()

    if _metadata.ping(request=request):
        # Get the project ID.
        try:
            project_id = _metadata.get_project_id(request=request)
        except exceptions.TransportError:
            project_id = None

        return compute_engine.Credentials(), project_id
    else:
        return None, None 
Example 11
Project: google-auth-library-python   Author: googleapis   File: test_grpc.py    Apache License 2.0 6 votes vote down vote up
def test_grpc_request_with_regular_credentials(http_request):
    credentials, project_id = google.auth.default()
    credentials = google.auth.credentials.with_scopes_if_required(
        credentials, ["https://www.googleapis.com/auth/pubsub"]
    )

    transport = publisher_grpc_transport.PublisherGrpcTransport(
        address=publisher_client.PublisherClient.SERVICE_ADDRESS,
        credentials=credentials,
    )

    # Create a pub/sub client.
    client = pubsub_v1.PublisherClient(transport=transport)

    # list the topics and drain the iterator to test that an authorized API
    # call works.
    list_topics_iter = client.list_topics(project="projects/{}".format(project_id))
    list(list_topics_iter) 
Example 12
Project: google-auth-library-python   Author: googleapis   File: test_grpc.py    Apache License 2.0 6 votes vote down vote up
def test_grpc_request_with_jwt_credentials():
    credentials, project_id = google.auth.default()
    audience = "https://pubsub.googleapis.com/google.pubsub.v1.Publisher"
    credentials = google.auth.jwt.Credentials.from_signing_credentials(
        credentials, audience=audience
    )

    transport = publisher_grpc_transport.PublisherGrpcTransport(
        address=publisher_client.PublisherClient.SERVICE_ADDRESS,
        credentials=credentials,
    )

    # Create a pub/sub client.
    client = pubsub_v1.PublisherClient(transport=transport)

    # list the topics and drain the iterator to test that an authorized API
    # call works.
    list_topics_iter = client.list_topics(project="projects/{}".format(project_id))
    list(list_topics_iter) 
Example 13
Project: google-auth-library-python   Author: googleapis   File: test_grpc.py    Apache License 2.0 6 votes vote down vote up
def test_grpc_request_with_on_demand_jwt_credentials():
    credentials, project_id = google.auth.default()
    credentials = google.auth.jwt.OnDemandCredentials.from_signing_credentials(
        credentials
    )

    transport = publisher_grpc_transport.PublisherGrpcTransport(
        address=publisher_client.PublisherClient.SERVICE_ADDRESS,
        credentials=credentials,
    )

    # Create a pub/sub client.
    client = pubsub_v1.PublisherClient(transport=transport)

    # list the topics and drain the iterator to test that an authorized API
    # call works.
    list_topics_iter = client.list_topics(project="projects/{}".format(project_id))
    list(list_topics_iter) 
Example 14
Project: Niallbot   Author: kafejo   File: _auth.py    MIT License 6 votes vote down vote up
def with_scopes(credentials, scopes):
    """Scopes the credentials if necessary.

    Args:
        credentials (Union[
            google.auth.credentials.Credentials,
            oauth2client.client.Credentials]): The credentials to scope.
        scopes (Sequence[str]): The list of scopes.

    Returns:
        Union[google.auth.credentials.Credentials,
            oauth2client.client.Credentials]: The scoped credentials.
    """
    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        return google.auth.credentials.with_scopes_if_required(
            credentials, scopes)
    else:
        try:
            if credentials.create_scoped_required():
                return credentials.create_scoped(scopes)
            else:
                return credentials
        except AttributeError:
            return credentials 
Example 15
Project: GSIP   Author: NRCan   File: _default.py    MIT License 6 votes vote down vote up
def _get_gcloud_sdk_credentials():
    """Gets the credentials and project ID from the Cloud SDK."""
    from google.auth import _cloud_sdk

    # Check if application default credentials exist.
    credentials_filename = (
        _cloud_sdk.get_application_default_credentials_path())

    if not os.path.isfile(credentials_filename):
        return None, None

    credentials, project_id = _load_credentials_from_file(
        credentials_filename)

    if not project_id:
        project_id = _cloud_sdk.get_project_id()

    return credentials, project_id 
Example 16
Project: python-docs-samples   Author: GoogleCloudPlatform   File: samples_test.py    Apache License 2.0 6 votes vote down vote up
def test_client_library_query_bqstorage():
    # [START bigquery_migration_client_library_query_bqstorage]
    import google.auth
    from google.cloud import bigquery
    from google.cloud import bigquery_storage_v1beta1

    # Create a BigQuery client and a BigQuery Storage API client with the same
    # credentials to avoid authenticating twice.
    credentials, project_id = google.auth.default(
        scopes=["https://www.googleapis.com/auth/cloud-platform"]
    )
    client = bigquery.Client(credentials=credentials, project=project_id)
    bqstorage_client = bigquery_storage_v1beta1.BigQueryStorageClient(
        credentials=credentials
    )
    sql = "SELECT * FROM `bigquery-public-data.irs_990.irs_990_2012`"

    # Use a BigQuery Storage API client to download results more quickly.
    df = client.query(sql).to_dataframe(bqstorage_client=bqstorage_client)
    # [END bigquery_migration_client_library_query_bqstorage]
    assert len(df) > 0 
Example 17
Project: python-docs-samples   Author: GoogleCloudPlatform   File: main_test.py    Apache License 2.0 6 votes vote down vote up
def clients():
    # [START bigquerystorage_pandas_tutorial_all]
    # [START bigquerystorage_pandas_tutorial_create_client]
    import google.auth
    from google.cloud import bigquery
    from google.cloud import bigquery_storage_v1beta1

    # Explicitly create a credentials object. This allows you to use the same
    # credentials for both the BigQuery and BigQuery Storage clients, avoiding
    # unnecessary API calls to fetch duplicate authentication tokens.
    credentials, your_project_id = google.auth.default(
        scopes=["https://www.googleapis.com/auth/cloud-platform"]
    )

    # Make clients.
    bqclient = bigquery.Client(
        credentials=credentials,
        project=your_project_id,
    )
    bqstorageclient = bigquery_storage_v1beta1.BigQueryStorageClient(
        credentials=credentials
    )
    # [END bigquerystorage_pandas_tutorial_create_client]
    # [END bigquerystorage_pandas_tutorial_all]
    return bqclient, bqstorageclient 
Example 18
Project: python-docs-samples   Author: GoogleCloudPlatform   File: snippets.py    Apache License 2.0 6 votes vote down vote up
def implicit():
    import google.auth
    from google.auth.transport import requests

    # Get the credentials and project ID from the environment.
    credentials, project = google.auth.default(
        scopes=['https://www.googleapis.com/auth/cloud-platform'])

    # Create a requests Session object with the credentials.
    session = requests.AuthorizedSession(credentials)

    # Make an authenticated API request
    response = session.get(
        'https://www.googleapis.com/storage/v1/b'.format(project),
        params={'project': project})
    response.raise_for_status()
    buckets = response.json()
    print(buckets)
# [END auth_http_implicit]


# [START auth_http_explicit] 
Example 19
Project: python-docs-samples   Author: GoogleCloudPlatform   File: snippets.py    Apache License 2.0 6 votes vote down vote up
def explicit(project):
    from google.auth.transport import requests
    from google.oauth2 import service_account

    # Construct service account credentials using the service account key
    # file.
    credentials = service_account.Credentials.from_service_account_file(
        'service_account.json')
    credentials = credentials.with_scopes(
        ['https://www.googleapis.com/auth/cloud-platform'])

    # Create a requests Session object with the credentials.
    session = requests.AuthorizedSession(credentials)

    # Make an authenticated API request
    response = session.get(
        'https://www.googleapis.com/storage/v1/b'.format(project),
        params={'project': project})
    response.raise_for_status()
    buckets = response.json()
    print(buckets)
# [END auth_http_explicit] 
Example 20
Project: gcp-slack-init   Author: symphco   File: _default.py    MIT License 6 votes vote down vote up
def _get_gcloud_sdk_credentials():
    """Gets the credentials and project ID from the Cloud SDK."""
    from google.auth import _cloud_sdk

    # Check if application default credentials exist.
    credentials_filename = (
        _cloud_sdk.get_application_default_credentials_path())

    if not os.path.isfile(credentials_filename):
        return None, None

    credentials, project_id = _load_credentials_from_file(
        credentials_filename)

    if not project_id:
        project_id = _cloud_sdk.get_project_id()

    return credentials, project_id 
Example 21
Project: gcp-slack-init   Author: symphco   File: _default.py    MIT License 6 votes vote down vote up
def _get_gce_credentials(request=None):
    """Gets credentials and project ID from the GCE Metadata Service."""
    # Ping requires a transport, but we want application default credentials
    # to require no arguments. So, we'll use the _http_client transport which
    # uses http.client. This is only acceptable because the metadata server
    # doesn't do SSL and never requires proxies.
    from google.auth import compute_engine
    from google.auth.compute_engine import _metadata

    if request is None:
        request = google.auth.transport._http_client.Request()

    if _metadata.ping(request=request):
        # Get the project ID.
        try:
            project_id = _metadata.get_project_id(request=request)
        except exceptions.TransportError:
            project_id = None

        return compute_engine.Credentials(), project_id
    else:
        return None, None 
Example 22
Project: bigquerylayers   Author: smandaric   File: _default.py    GNU General Public License v3.0 5 votes vote down vote up
def _warn_about_problematic_credentials(credentials):
    """Determines if the credentials are problematic.

    Credentials from the Cloud SDK that are associated with Cloud SDK's project
    are problematic because they may not have APIs enabled and have limited
    quota. If this is the case, warn about it.
    """
    from google.auth import _cloud_sdk
    if credentials.client_id == _cloud_sdk.CLOUD_SDK_CLIENT_ID:
        warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING) 
Example 23
Project: bigquerylayers   Author: smandaric   File: _default.py    GNU General Public License v3.0 5 votes vote down vote up
def _get_gae_credentials():
    """Gets Google App Engine App Identity credentials and project ID."""
    # While this library is normally bundled with app_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        import google.auth.app_engine as app_engine
    except ImportError:
        return None, None

    try:
        credentials = app_engine.Credentials()
        project_id = app_engine.get_project_id()
        return credentials, project_id
    except EnvironmentError:
        return None, None 
Example 24
Project: bigquerylayers   Author: smandaric   File: _default.py    GNU General Public License v3.0 5 votes vote down vote up
def _get_gce_credentials(request=None):
    """Gets credentials and project ID from the GCE Metadata Service."""
    # Ping requires a transport, but we want application default credentials
    # to require no arguments. So, we'll use the _http_client transport which
    # uses http.client. This is only acceptable because the metadata server
    # doesn't do SSL and never requires proxies.

    # While this library is normally bundled with compute_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        from google.auth import compute_engine
        from google.auth.compute_engine import _metadata
    except ImportError:
        return None, None

    if request is None:
        request = google.auth.transport._http_client.Request()

    if _metadata.ping(request=request):
        # Get the project ID.
        try:
            project_id = _metadata.get_project_id(request=request)
        except exceptions.TransportError:
            project_id = None

        return compute_engine.Credentials(), project_id
    else:
        return None, None 
Example 25
Project: bigquerylayers   Author: smandaric   File: magics.py    GNU General Public License v3.0 5 votes vote down vote up
def credentials(self):
        """google.auth.credentials.Credentials: Credentials to use for queries
        performed through IPython magics

        Note:
            These credentials do not need to be explicitly defined if you are
            using Application Default Credentials. If you are not using
            Application Default Credentials, manually construct a
            :class:`google.auth.credentials.Credentials` object and set it as
            the context credentials as demonstrated in the example below. See
            `auth docs`_ for more information on obtaining credentials.

        Example:
            Manually setting the context credentials:

            >>> from google.cloud.bigquery import magics
            >>> from google.oauth2 import service_account
            >>> credentials = (service_account
            ...     .Credentials.from_service_account_file(
            ...         '/path/to/key.json'))
            >>> magics.context.credentials = credentials


        .. _auth docs: http://google-auth.readthedocs.io
            /en/latest/user-guide.html#obtaining-credentials
        """
        if self._credentials is None:
            self._credentials, _ = google.auth.default()
        return self._credentials 
Example 26
Project: cloud-profiler-python   Author: GoogleCloudPlatform   File: client.py    Apache License 2.0 5 votes vote down vote up
def setup_auth(self, project_id=None, service_account_json_file=None):
    """Sets up authentication with Google APIs.

    This will use the credentials from service_account_json_file if provided,
    falling back to application default credentials. See
    https://cloud.google.com/docs/authentication/production.

    Args:
      project_id: A string specifying the GCP project ID (e.g. my-project). If
        not provided, will attempt to retrieve it from the credentials.
      service_account_json_file: A string specifying the path to a service
        account json file. If not provided, will default to application default
        credentials.

    Returns:
      A string representing the project ID.
    """
    if service_account_json_file:
      self._credentials = (
          service_account.Credentials.from_service_account_file(
              service_account_json_file, scopes=_SCOPE))
      if not project_id:
        with open(service_account_json_file) as f:
          project_id = json.load(f).get('project_id')
    else:
      self._credentials, credentials_project_id = google.auth.default(
          scopes=_SCOPE)
      project_id = project_id or credentials_project_id
    return project_id 
Example 27
Project: multicloud-incident-response-navigator   Author: IBM   File: k8s_config.py    Apache License 2.0 5 votes vote down vote up
def load_kube_config() -> Tuple[bool, Exception]:
	"""
	Loads the user's kube-config

	:return: ((bool) whether or not exception ocurred while loading config,
			  (Exception) exception if google auth error thrown, or (str) "" if no google exception)
	"""

	try:
		config.load_kube_config()
	except google.auth.exceptions.RefreshError as e:
		return (False, e)
	else:
		return (True, "") 
Example 28
Project: open-recipe   Author: dspray95   File: _default.py    The Unlicense 5 votes vote down vote up
def _warn_about_problematic_credentials(credentials):
    """Determines if the credentials are problematic.

    Credentials from the Cloud SDK that are associated with Cloud SDK's project
    are problematic because they may not have APIs enabled and have limited
    quota. If this is the case, warn about it.
    """
    from google.auth import _cloud_sdk
    if credentials.client_id == _cloud_sdk.CLOUD_SDK_CLIENT_ID:
        warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING) 
Example 29
Project: open-recipe   Author: dspray95   File: _default.py    The Unlicense 5 votes vote down vote up
def _get_gae_credentials():
    """Gets Google App Engine App Identity credentials and project ID."""
    # While this library is normally bundled with app_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        import google.auth.app_engine as app_engine
    except ImportError:
        return None, None

    try:
        credentials = app_engine.Credentials()
        project_id = app_engine.get_project_id()
        return credentials, project_id
    except EnvironmentError:
        return None, None 
Example 30
Project: open-recipe   Author: dspray95   File: _default.py    The Unlicense 5 votes vote down vote up
def _get_gce_credentials(request=None):
    """Gets credentials and project ID from the GCE Metadata Service."""
    # Ping requires a transport, but we want application default credentials
    # to require no arguments. So, we'll use the _http_client transport which
    # uses http.client. This is only acceptable because the metadata server
    # doesn't do SSL and never requires proxies.

    # While this library is normally bundled with compute_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        from google.auth import compute_engine
        from google.auth.compute_engine import _metadata
    except ImportError:
        return None, None

    if request is None:
        request = google.auth.transport._http_client.Request()

    if _metadata.ping(request=request):
        # Get the project ID.
        try:
            project_id = _metadata.get_project_id(request=request)
        except exceptions.TransportError:
            project_id = None

        return compute_engine.Credentials(), project_id
    else:
        return None, None 
Example 31
Project: AIY-voice-kit-python   Author: hellmanj   File: _speech.py    Apache License 2.0 5 votes vote down vote up
def make_channel(self):
        """Creates a secure channel."""

        request = google.auth.transport.requests.Request()
        target = self._api_host + ':443'

        if not self._checked:
            # Refresh now, to catch any errors early. Otherwise, they'll be
            # raised and swallowed somewhere inside gRPC.
            self._credentials.refresh(request)
            self._checked = True

        return google.auth.transport.grpc.secure_authorized_channel(
            self._credentials, request, target) 
Example 32
Project: AIY-voice-kit-python   Author: hellmanj   File: _speech.py    Apache License 2.0 5 votes vote down vote up
def do_request(self):
        """Establishes a connection and starts sending audio to the cloud
        endpoint. Responses are handled by the subclass until one returns a
        result.

        Returns:
            namedtuple with the following fields:
                transcript: string with transcript of user query
                response_audio: optionally, an audio response from the server

        Raises speech.Error on error.
        """
        try:
            service = self._make_service(self._channel_factory.make_channel())

            response_stream = self._create_response_stream(
                service, self._request_stream(), self.DEADLINE_SECS)

            if self._audio_logging_enabled:
                self._start_logging_request()

            return self._handle_response_stream(response_stream)
        except (
                google.auth.exceptions.GoogleAuthError,
                grpc.RpcError,
        ) as exc:
            raise Error('Exception in speech request') from exc 
Example 33
Project: AIY-voice-kit-python   Author: hellmanj   File: _speech.py    Apache License 2.0 5 votes vote down vote up
def __init__(self, credentials_file):
        os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = credentials_file
        credentials, _ = google.auth.default(scopes=[self.SCOPE])

        super().__init__('speech.googleapis.com', credentials)

        self.language_code = aiy.i18n.get_language_code()

        if not hasattr(cloud_speech, 'StreamingRecognizeRequest'):
            raise ValueError("cloud_speech_pb2.py doesn't have StreamingRecognizeRequest.")

        self._transcript = None 
Example 34
Project: AIY-voice-kit-python   Author: hellmanj   File: speech.py    Apache License 2.0 5 votes vote down vote up
def make_channel(self):
        """Creates a secure channel."""

        request = google.auth.transport.requests.Request()
        target = self._api_host + ':443'

        if not self._checked:
            # Refresh now, to catch any errors early. Otherwise, they'll be
            # raised and swallowed somewhere inside gRPC.
            self._credentials.refresh(request)
            self._checked = True

        return google.auth.transport.grpc.secure_authorized_channel(
            self._credentials, request, target) 
Example 35
Project: AIY-voice-kit-python   Author: hellmanj   File: speech.py    Apache License 2.0 5 votes vote down vote up
def do_request(self):
        """Establishes a connection and starts sending audio to the cloud
        endpoint. Responses are handled by the subclass until one returns a
        result.

        Returns:
            namedtuple with the following fields:
                transcript: string with transcript of user query
                response_audio: optionally, an audio response from the server

        Raises speech.Error on error.
        """
        try:
            service = self._make_service(self._channel_factory.make_channel())

            response_stream = self._create_response_stream(
                service, self._request_stream(), self.DEADLINE_SECS)

            if self._audio_logging_enabled:
                self._start_logging_request()

            return self._handle_response_stream(response_stream)
        except (
                google.auth.exceptions.GoogleAuthError,
                grpc.RpcError,
        ) as exc:
            raise Error('Exception in speech request') from exc 
Example 36
Project: a2ml   Author: augerai   File: a2ml.py    Apache License 2.0 5 votes vote down vote up
def evaluate(self):
        credentials, project = google.auth.default(scopes=['https://www.googleapis.com/auth/cloud-platform'])
        authed_session = AuthorizedSession(credentials)
        basename="https://automl.googleapis.com/v1beta1/"
        cmd = basename + self.operation_name
        response=authed_session.get(cmd)
        result=json.loads(response.content)
        self.ctx.log("Operation name: {}".format(result["name"]))
     
        if (("done" in result.keys()) and result["done"]): 
            self.ctx.log("Model training complete.")
            self.model_name = result["response"]["name"]
            self.ctx.log("Model full name: {}".format(self.model_name))   
            self.ctx.config['google'].yaml['model_name'] = self.model_name
            self.ctx.config['google'].write()  
            response = self.client.list_model_evaluations(self.model_name)
            self.ctx.log("List of model evaluations:")
            for evaluation in response:
                self.ctx.log("Model evaluation name: {}".format(evaluation.name))
                self.ctx.log("Model evaluation id: {}".format(evaluation.name.split("/")[-1]))
                self.ctx.log("Model evaluation example count: {}".format(
                    evaluation.evaluated_example_count))
                self.ctx.log("Model evaluation time: {} seconds".format(evaluation.create_time.seconds))
                self.ctx.log("Full model evaluation: {}".format(inspect.getmembers(evaluation) ))
                self.ctx.log("\n")
        else:
            self.ctx.log("Model still training...") 
Example 37
Project: clusterfuzz   Author: google   File: modules.py    Apache License 2.0 5 votes vote down vote up
def _patch_appengine_modules_for_bots():
  """Patch out App Engine reliant behaviour from bots."""
  if os.getenv('SERVER_SOFTWARE'):
    # Not applicable on App Engine.
    return

  # google.auth uses App Engine credentials based on importability of
  # google.appengine.api.app_identity.
  try:
    from google.auth import app_engine as auth_app_engine
    if auth_app_engine.app_identity:
      auth_app_engine.app_identity = None
  except ImportError:
    pass 
Example 38
Project: pcml   Author: projectclarify   File: query.py    Apache License 2.0 5 votes vote down vote up
def get_google_open_id_connect_token(service_account_credentials):
  """
  Get an OpenID Connect token issued by Google for the service account.
  This function:
    1. Generates a JWT signed with the service account's private key containing
       a special "target_audience" claim.
    2. Sends it to the OAUTH_TOKEN_URI endpoint. Because the JWT in #1 has a
       target_audience claim, that endpoint will respond with an OpenID Connect
       token for the service account -- in other words, a JWT signed by
       *Google*. The aud claim in this JWT will be set to the value from the
       target_audience claim in #1.
  For more information, see
  https://developers.google.com/identity/protocols/OAuth2ServiceAccount .
  The HTTP/REST example on that page describes the JWT structure and
  demonstrates how to call the token endpoint. (The example on that page shows
  how to get an OAuth2 access token; this code is using a modified version of it
  to get an OpenID Connect token.)
  """

  service_account_jwt = (
      service_account_credentials._make_authorization_grant_assertion())
  request = google.auth.transport.requests.Request()
  body = {
      'assertion': service_account_jwt,
      'grant_type': google.oauth2._client._JWT_GRANT_TYPE,
  }
  token_response = google.oauth2._client._token_endpoint_request(
      request, OAUTH_TOKEN_URI, body)
  return token_response['id_token'] 
Example 39
Project: hangouts-chat-samples   Author: gsuitedevs   File: bot.py    Apache License 2.0 5 votes vote down vote up
def receive_messages():
    """Receives messages from a pull subscription."""

    scopes = ['https://www.googleapis.com/auth/chat.bot']
    credentials, project_id = google.auth.default()
    credentials = credentials.with_scopes(scopes=scopes)
    chat = build('chat', 'v1', credentials=credentials)

    subscription_id = os.environ.get('SUBSCRIPTION_ID')
    subscriber = pubsub_v1.SubscriberClient()
    subscription_path = subscriber.subscription_path(
        project_id, subscription_id)

    def callback(message):
        logging.info('Received message: %s', message.data)

        event = json.loads(message.data)
        space_name = event['space']['name']

        # If the bot was removed, we don't need to return a response.
        if event['type'] == 'REMOVED_FROM_SPACE':
            logging.info('Bot removed rom space %s', space_name)
            return

        response = format_response(event)

        # Send the asynchronous response back to Hangouts Chat
        chat.spaces().messages().create(
            parent=space_name,
            body=response).execute()
        message.ack()

    subscriber.subscribe(subscription_path, callback=callback)
    logging.info('Listening for messages on %s', subscription_path)

    # Keep main thread from exiting while waiting for messages
    while True:
        time.sleep(60) 
Example 40
Project: cosh   Author: i11   File: repositories.py    GNU General Public License v3.0 5 votes vote down vote up
def credentials(self):
    if not self.__credentials:
      warnings.filterwarnings("ignore",
                              "Your application has authenticated using end user credentials")
      if self.gcr_key_file:
        logging.debug('Using key file: %s' % self.gcr_key_file)
        self.__credentials = service_account.Credentials.from_service_account_file(
            self.gcr_key_file,
            scopes=['https://www.googleapis.com/auth/devstorage.read_write'])
      else:
        logging.debug('Using default credentials')
        self.__credentials, project = google.auth.default(
            scopes=['https://www.googleapis.com/auth/devstorage.read_write'])
    return self.__credentials 
Example 41
Project: cosh   Author: i11   File: repositories.py    GNU General Public License v3.0 5 votes vote down vote up
def token(self):
    self.credentials().refresh(google.auth.transport.requests.Request())
    return self.credentials().token 
Example 42
Project: airflow   Author: apache   File: test_base.py    Apache License 2.0 5 votes vote down vote up
def test_default_scopes(self):
        self.instance.extras = {'extra__google_cloud_platform__project': default_project}

        self.assertEqual(self.instance.scopes, ('https://www.googleapis.com/auth/cloud-platform',)) 
Example 43
Project: airflow   Author: apache   File: base.py    Apache License 2.0 5 votes vote down vote up
def _get_credentials(self) -> google.auth.credentials.Credentials:
        """
        Returns the Credentials object for Google API
        """
        credentials, _ = self._get_credentials_and_project_id()
        return credentials 
Example 44
Project: Emotion-Evaluator   Author: Attriumph   File: _default.py    MIT License 5 votes vote down vote up
def _warn_about_problematic_credentials(credentials):
    """Determines if the credentials are problematic.

    Credentials from the Cloud SDK that are associated with Cloud SDK's project
    are problematic because they may not have APIs enabled and have limited
    quota. If this is the case, warn about it.
    """
    from google.auth import _cloud_sdk
    if credentials.client_id == _cloud_sdk.CLOUD_SDK_CLIENT_ID:
        warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING) 
Example 45
Project: Emotion-Evaluator   Author: Attriumph   File: _default.py    MIT License 5 votes vote down vote up
def _get_gae_credentials():
    """Gets Google App Engine App Identity credentials and project ID."""
    from google.auth import app_engine

    try:
        credentials = app_engine.Credentials()
        project_id = app_engine.get_project_id()
        return credentials, project_id
    except EnvironmentError:
        return None, None 
Example 46
Project: Emotion-Evaluator   Author: Attriumph   File: _auth.py    MIT License 5 votes vote down vote up
def default_credentials():
    """Returns Application Default Credentials."""
    if HAS_GOOGLE_AUTH:
        credentials, _ = google.auth.default()
        return credentials
    elif HAS_OAUTH2CLIENT:
        return oauth2client.client.GoogleCredentials.get_application_default()
    else:
        raise EnvironmentError(
            'No authentication library is available. Please install either '
            'google-auth or oauth2client.') 
Example 47
Project: Emotion-Evaluator   Author: Attriumph   File: _auth.py    MIT License 5 votes vote down vote up
def authorized_http(credentials):
    """Returns an http client that is authorized with the given credentials.

    Args:
        credentials (Union[
            google.auth.credentials.Credentials,
            oauth2client.client.Credentials]): The credentials to use.

    Returns:
        Union[httplib2.Http, google_auth_httplib2.AuthorizedHttp]: An
            authorized http client.
    """
    from googleapiclient.http import build_http

    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        if google_auth_httplib2 is None:
            raise ValueError(
                'Credentials from google.auth specified, but '
                'google-api-python-client is unable to use these credentials '
                'unless google-auth-httplib2 is installed. Please install '
                'google-auth-httplib2.')
        return google_auth_httplib2.AuthorizedHttp(credentials,
                                                   http=build_http())
    else:
        return credentials.authorize(build_http()) 
Example 48
Project: Emotion-Evaluator   Author: Attriumph   File: _auth.py    MIT License 5 votes vote down vote up
def refresh_credentials(credentials):
    # Refresh must use a new http instance, as the one associated with the
    # credentials could be a AuthorizedHttp or an oauth2client-decorated
    # Http instance which would cause a weird recursive loop of refreshing
    # and likely tear a hole in spacetime.
    refresh_http = httplib2.Http()
    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        request = google_auth_httplib2.Request(refresh_http)
        return credentials.refresh(request)
    else:
        return credentials.refresh(refresh_http) 
Example 49
Project: Emotion-Evaluator   Author: Attriumph   File: _auth.py    MIT License 5 votes vote down vote up
def apply_credentials(credentials, headers):
    # oauth2client and google-auth have the same interface for this.
    if not is_valid(credentials):
        refresh_credentials(credentials)
    return credentials.apply(headers) 
Example 50
Project: Emotion-Evaluator   Author: Attriumph   File: _auth.py    MIT License 5 votes vote down vote up
def is_valid(credentials):
    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        return credentials.valid
    else:
        return (
            credentials.access_token is not None and
            not credentials.access_token_expired) 
Example 51
Project: google-auth-library-python   Author: googleapis   File: main.py    Apache License 2.0 5 votes vote down vote up
def test_default():
    credentials, project_id = google.auth.default()

    assert isinstance(credentials, app_engine.Credentials)
    assert project_id == app_identity.get_application_id() 
Example 52
Project: google-auth-library-python   Author: googleapis   File: _default.py    Apache License 2.0 5 votes vote down vote up
def _warn_about_problematic_credentials(credentials):
    """Determines if the credentials are problematic.

    Credentials from the Cloud SDK that are associated with Cloud SDK's project
    are problematic because they may not have APIs enabled and have limited
    quota. If this is the case, warn about it.
    """
    from google.auth import _cloud_sdk

    if credentials.client_id == _cloud_sdk.CLOUD_SDK_CLIENT_ID:
        warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING) 
Example 53
Project: google-auth-library-python   Author: googleapis   File: _default.py    Apache License 2.0 5 votes vote down vote up
def _get_gae_credentials():
    """Gets Google App Engine App Identity credentials and project ID."""
    # While this library is normally bundled with app_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        import google.auth.app_engine as app_engine
    except ImportError:
        return None, None

    try:
        credentials = app_engine.Credentials()
        project_id = app_engine.get_project_id()
        return credentials, project_id
    except EnvironmentError:
        return None, None 
Example 54
Project: google-auth-library-python   Author: googleapis   File: _default.py    Apache License 2.0 5 votes vote down vote up
def _get_gce_credentials(request=None):
    """Gets credentials and project ID from the GCE Metadata Service."""
    # Ping requires a transport, but we want application default credentials
    # to require no arguments. So, we'll use the _http_client transport which
    # uses http.client. This is only acceptable because the metadata server
    # doesn't do SSL and never requires proxies.

    # While this library is normally bundled with compute_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        from google.auth import compute_engine
        from google.auth.compute_engine import _metadata
    except ImportError:
        return None, None

    if request is None:
        request = google.auth.transport._http_client.Request()

    if _metadata.ping(request=request):
        # Get the project ID.
        try:
            project_id = _metadata.get_project_id(request=request)
        except exceptions.TransportError:
            project_id = None

        return compute_engine.Credentials(), project_id
    else:
        return None, None 
Example 55
Project: Niallbot   Author: kafejo   File: _auth.py    MIT License 5 votes vote down vote up
def default_credentials():
    """Returns Application Default Credentials."""
    if HAS_GOOGLE_AUTH:
        credentials, _ = google.auth.default()
        return credentials
    elif HAS_OAUTH2CLIENT:
        return oauth2client.client.GoogleCredentials.get_application_default()
    else:
        raise EnvironmentError(
            'No authentication library is available. Please install either '
            'google-auth or oauth2client.') 
Example 56
Project: Niallbot   Author: kafejo   File: _auth.py    MIT License 5 votes vote down vote up
def authorized_http(credentials):
    """Returns an http client that is authorized with the given credentials.

    Args:
        credentials (Union[
            google.auth.credentials.Credentials,
            oauth2client.client.Credentials]): The credentials to use.

    Returns:
        Union[httplib2.Http, google_auth_httplib2.AuthorizedHttp]: An
            authorized http client.
    """
    from googleapiclient.http import build_http

    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        if google_auth_httplib2 is None:
            raise ValueError(
                'Credentials from google.auth specified, but '
                'google-api-python-client is unable to use these credentials '
                'unless google-auth-httplib2 is installed. Please install '
                'google-auth-httplib2.')
        return google_auth_httplib2.AuthorizedHttp(credentials,
                                                   http=build_http())
    else:
        return credentials.authorize(build_http()) 
Example 57
Project: Niallbot   Author: kafejo   File: _auth.py    MIT License 5 votes vote down vote up
def refresh_credentials(credentials):
    # Refresh must use a new http instance, as the one associated with the
    # credentials could be a AuthorizedHttp or an oauth2client-decorated
    # Http instance which would cause a weird recursive loop of refreshing
    # and likely tear a hole in spacetime.
    refresh_http = httplib2.Http()
    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        request = google_auth_httplib2.Request(refresh_http)
        return credentials.refresh(request)
    else:
        return credentials.refresh(refresh_http) 
Example 58
Project: Niallbot   Author: kafejo   File: _auth.py    MIT License 5 votes vote down vote up
def apply_credentials(credentials, headers):
    # oauth2client and google-auth have the same interface for this.
    return credentials.apply(headers) 
Example 59
Project: polystores   Author: polyaxon   File: gc_client.py    MIT License 5 votes vote down vote up
def get_gc_credentials(key_path=None, keyfile_dict=None, scopes=None):
    """
    Returns the Credentials object for Google API
    """
    key_path = key_path or get_key_path()
    keyfile_dict = keyfile_dict or get_keyfile_dict()
    scopes = scopes or get_scopes()

    if scopes is not None:
        scopes = [s.strip() for s in scopes.split(',')]
    else:
        scopes = DEFAULT_SCOPES

    if not key_path and not keyfile_dict:
        logger.info('Getting connection using `google.auth.default()` '
                    'since no key file is defined for hook.')
        credentials, _ = google.auth.default(scopes=scopes)
    elif key_path:
        # Get credentials from a JSON file.
        if key_path.endswith('.json'):
            logger.info('Getting connection using a JSON key file.')
            credentials = Credentials.from_service_account_file(
                os.path.abspath(key_path), scopes=scopes)
        else:
            raise PolyaxonStoresException('Unrecognised extension for key file.')
    else:
        # Get credentials from JSON data.
        try:
            if not isinstance(keyfile_dict, Mapping):
                keyfile_dict = json.loads(keyfile_dict)

            # Convert escaped newlines to actual newlines if any.
            keyfile_dict['private_key'] = keyfile_dict['private_key'].replace('\\n', '\n')

            credentials = Credentials.from_service_account_info(keyfile_dict, scopes=scopes)
        except ValueError:  # json.decoder.JSONDecodeError does not exist on py2
            raise PolyaxonStoresException('Invalid key JSON.')

    return credentials 
Example 60
Project: pulse-data   Author: Recidiviz   File: cloud_function_utils.py    GNU General Public License v3.0 5 votes vote down vote up
def get_google_open_id_connect_token(
        service_account_credentials: google.oauth2.credentials.Credentials):
    """Get an OpenID Connect token issued by Google for the service account.
    """

    service_account_jwt = (
        service_account_credentials._make_authorization_grant_assertion())
    request = google.auth.transport.requests.Request()
    body = {
        'assertion': service_account_jwt,
        'grant_type': google.oauth2._client._JWT_GRANT_TYPE,
    }
    token_response = google.oauth2._client._token_endpoint_request(
        request, _OAUTH_TOKEN_URI, body)
    return token_response['id_token'] 
Example 61
Project: GSIP   Author: NRCan   File: _default.py    MIT License 5 votes vote down vote up
def _warn_about_problematic_credentials(credentials):
    """Determines if the credentials are problematic.

    Credentials from the Cloud SDK that are associated with Cloud SDK's project
    are problematic because they may not have APIs enabled and have limited
    quota. If this is the case, warn about it.
    """
    from google.auth import _cloud_sdk
    if credentials.client_id == _cloud_sdk.CLOUD_SDK_CLIENT_ID:
        warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING) 
Example 62
Project: GSIP   Author: NRCan   File: _default.py    MIT License 5 votes vote down vote up
def _get_gae_credentials():
    """Gets Google App Engine App Identity credentials and project ID."""
    # While this library is normally bundled with app_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        import google.auth.app_engine as app_engine
    except ImportError:
        return None, None

    try:
        credentials = app_engine.Credentials()
        project_id = app_engine.get_project_id()
        return credentials, project_id
    except EnvironmentError:
        return None, None 
Example 63
Project: GSIP   Author: NRCan   File: _default.py    MIT License 5 votes vote down vote up
def _get_gce_credentials(request=None):
    """Gets credentials and project ID from the GCE Metadata Service."""
    # Ping requires a transport, but we want application default credentials
    # to require no arguments. So, we'll use the _http_client transport which
    # uses http.client. This is only acceptable because the metadata server
    # doesn't do SSL and never requires proxies.

    # While this library is normally bundled with compute_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        from google.auth import compute_engine
        from google.auth.compute_engine import _metadata
    except ImportError:
        return None, None

    if request is None:
        request = google.auth.transport._http_client.Request()

    if _metadata.ping(request=request):
        # Get the project ID.
        try:
            project_id = _metadata.get_project_id(request=request)
        except exceptions.TransportError:
            project_id = None

        return compute_engine.Credentials(), project_id
    else:
        return None, None 
Example 64
Project: GSIP   Author: NRCan   File: _auth.py    MIT License 5 votes vote down vote up
def default_credentials():
    """Returns Application Default Credentials."""
    if HAS_GOOGLE_AUTH:
        credentials, _ = google.auth.default()
        return credentials
    elif HAS_OAUTH2CLIENT:
        return oauth2client.client.GoogleCredentials.get_application_default()
    else:
        raise EnvironmentError(
            'No authentication library is available. Please install either '
            'google-auth or oauth2client.') 
Example 65
Project: GSIP   Author: NRCan   File: _auth.py    MIT License 5 votes vote down vote up
def authorized_http(credentials):
    """Returns an http client that is authorized with the given credentials.

    Args:
        credentials (Union[
            google.auth.credentials.Credentials,
            oauth2client.client.Credentials]): The credentials to use.

    Returns:
        Union[httplib2.Http, google_auth_httplib2.AuthorizedHttp]: An
            authorized http client.
    """
    from googleapiclient.http import build_http

    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        if google_auth_httplib2 is None:
            raise ValueError(
                'Credentials from google.auth specified, but '
                'google-api-python-client is unable to use these credentials '
                'unless google-auth-httplib2 is installed. Please install '
                'google-auth-httplib2.')
        return google_auth_httplib2.AuthorizedHttp(credentials,
                                                   http=build_http())
    else:
        return credentials.authorize(build_http()) 
Example 66
Project: GSIP   Author: NRCan   File: _auth.py    MIT License 5 votes vote down vote up
def refresh_credentials(credentials):
    # Refresh must use a new http instance, as the one associated with the
    # credentials could be a AuthorizedHttp or an oauth2client-decorated
    # Http instance which would cause a weird recursive loop of refreshing
    # and likely tear a hole in spacetime.
    refresh_http = httplib2.Http()
    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        request = google_auth_httplib2.Request(refresh_http)
        return credentials.refresh(request)
    else:
        return credentials.refresh(refresh_http) 
Example 67
Project: GSIP   Author: NRCan   File: _auth.py    MIT License 5 votes vote down vote up
def apply_credentials(credentials, headers):
    # oauth2client and google-auth have the same interface for this.
    if not is_valid(credentials):
        refresh_credentials(credentials)
    return credentials.apply(headers) 
Example 68
Project: GSIP   Author: NRCan   File: _auth.py    MIT License 5 votes vote down vote up
def is_valid(credentials):
    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        return credentials.valid
    else:
        return (
            credentials.access_token is not None and
            not credentials.access_token_expired) 
Example 69
Project: budou   Author: google   File: nlapisegmenter.py    Apache License 2.0 5 votes vote down vote up
def _authenticate(self, cache_discovery):

    import google_auth_httplib2
    import googleapiclient.discovery

    scope = ['https://www.googleapis.com/auth/cloud-platform']
    if self.credentials_path:
      try:
        from google.oauth2 import service_account
        credentials = service_account.Credentials.from_service_account_file(
            self.credentials_path)
        scoped_credentials = credentials.with_scopes(scope)
      except ImportError:
        logging.error('Failed to load google.oauth2.service_account module. '
                      'If you are running this script in Google App Engine '
                      'environment, you can initialize the segmenter with '
                      'default credentials.')

    else:
      import google.auth
      scoped_credentials, _ = google.auth.default(scope)
    authed_http = google_auth_httplib2.AuthorizedHttp(scoped_credentials)
    service = googleapiclient.discovery.build(
        'language', 'v1beta2', http=authed_http,
        cache_discovery=cache_discovery)
    return service 
Example 70
Project: python-docs-samples   Author: GoogleCloudPlatform   File: authenticate_service_account_test.py    Apache License 2.0 5 votes vote down vote up
def mock_credentials(*args, **kwargs):
    credentials, _ = google.auth.default(
        ["https://www.googleapis.com/auth/cloud-platform"]
    )
    return credentials 
Example 71
Project: python-docs-samples   Author: GoogleCloudPlatform   File: get_client_id.py    Apache License 2.0 5 votes vote down vote up
def get_client_id(project_id, location, composer_environment):
    # [START composer_get_environment_client_id]
    import google.auth
    import google.auth.transport.requests
    import requests
    import six.moves.urllib.parse

    # Authenticate with Google Cloud.
    # See: https://cloud.google.com/docs/authentication/getting-started
    credentials, _ = google.auth.default(
        scopes=['https://www.googleapis.com/auth/cloud-platform'])
    authed_session = google.auth.transport.requests.AuthorizedSession(
        credentials)

    # project_id = 'YOUR_PROJECT_ID'
    # location = 'us-central1'
    # composer_environment = 'YOUR_COMPOSER_ENVIRONMENT_NAME'

    environment_url = (
        'https://composer.googleapis.com/v1beta1/projects/{}/locations/{}'
        '/environments/{}').format(project_id, location, composer_environment)
    composer_response = authed_session.request('GET', environment_url)
    environment_data = composer_response.json()
    airflow_uri = environment_data['config']['airflowUri']

    # The Composer environment response does not include the IAP client ID.
    # Make a second, unauthenticated HTTP request to the web server to get the
    # redirect URI.
    redirect_response = requests.get(airflow_uri, allow_redirects=False)
    redirect_location = redirect_response.headers['location']

    # Extract the client_id query parameter from the redirect.
    parsed = six.moves.urllib.parse.urlparse(redirect_location)
    query_string = six.moves.urllib.parse.parse_qs(parsed.query)
    print(query_string['client_id'][0])
    # [END composer_get_environment_client_id] 
Example 72
Project: python-docs-samples   Author: GoogleCloudPlatform   File: make_iap_request.py    Apache License 2.0 5 votes vote down vote up
def get_google_open_id_connect_token(service_account_credentials):
    """Get an OpenID Connect token issued by Google for the service account.

    This function:

      1. Generates a JWT signed with the service account's private key
         containing a special "target_audience" claim.

      2. Sends it to the OAUTH_TOKEN_URI endpoint. Because the JWT in #1
         has a target_audience claim, that endpoint will respond with
         an OpenID Connect token for the service account -- in other words,
         a JWT signed by *Google*. The aud claim in this JWT will be
         set to the value from the target_audience claim in #1.

    For more information, see
    https://developers.google.com/identity/protocols/OAuth2ServiceAccount .
    The HTTP/REST example on that page describes the JWT structure and
    demonstrates how to call the token endpoint. (The example on that page
    shows how to get an OAuth2 access token; this code is using a
    modified version of it to get an OpenID Connect token.)
    """

    service_account_jwt = (
        service_account_credentials._make_authorization_grant_assertion())
    request = google.auth.transport.requests.Request()
    body = {
        'assertion': service_account_jwt,
        'grant_type': google.oauth2._client._JWT_GRANT_TYPE,
    }
    token_response = google.oauth2._client._token_endpoint_request(
        request, OAUTH_TOKEN_URI, body)
    return token_response['id_token']

# [END iap_make_request] 
Example 73
Project: python-docs-samples   Author: GoogleCloudPlatform   File: composer_storage_trigger.py    Apache License 2.0 5 votes vote down vote up
def get_google_open_id_connect_token(service_account_credentials):
    """Get an OpenID Connect token issued by Google for the service account.

    This function:

      1. Generates a JWT signed with the service account's private key
         containing a special "target_audience" claim.

      2. Sends it to the OAUTH_TOKEN_URI endpoint. Because the JWT in #1
         has a target_audience claim, that endpoint will respond with
         an OpenID Connect token for the service account -- in other words,
         a JWT signed by *Google*. The aud claim in this JWT will be
         set to the value from the target_audience claim in #1.

    For more information, see
    https://developers.google.com/identity/protocols/OAuth2ServiceAccount .
    The HTTP/REST example on that page describes the JWT structure and
    demonstrates how to call the token endpoint. (The example on that page
    shows how to get an OAuth2 access token; this code is using a
    modified version of it to get an OpenID Connect token.)
    """

    service_account_jwt = (
        service_account_credentials._make_authorization_grant_assertion())
    request = google.auth.transport.requests.Request()
    body = {
        'assertion': service_account_jwt,
        'grant_type': google.oauth2._client._JWT_GRANT_TYPE,
    }
    token_response = google.oauth2._client._token_endpoint_request(
        request, OAUTH_TOKEN_URI, body)
    return token_response['id_token']
# END COPIED IAP CODE

# [END composer_trigger] 
Example 74
Project: gcp-slack-init   Author: symphco   File: _default.py    MIT License 5 votes vote down vote up
def _warn_about_problematic_credentials(credentials):
    """Determines if the credentials are problematic.

    Credentials from the Cloud SDK that are associated with Cloud SDK's project
    are problematic because they may not have APIs enabled and have limited
    quota. If this is the case, warn about it.
    """
    from google.auth import _cloud_sdk
    if credentials.client_id == _cloud_sdk.CLOUD_SDK_CLIENT_ID:
        warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING) 
Example 75
Project: gcp-slack-init   Author: symphco   File: _default.py    MIT License 5 votes vote down vote up
def _get_gae_credentials():
    """Gets Google App Engine App Identity credentials and project ID."""
    from google.auth import app_engine

    try:
        credentials = app_engine.Credentials()
        project_id = app_engine.get_project_id()
        return credentials, project_id
    except EnvironmentError:
        return None, None 
Example 76
Project: gcp-slack-init   Author: symphco   File: _auth.py    MIT License 5 votes vote down vote up
def default_credentials():
    """Returns Application Default Credentials."""
    if HAS_GOOGLE_AUTH:
        credentials, _ = google.auth.default()
        return credentials
    elif HAS_OAUTH2CLIENT:
        return oauth2client.client.GoogleCredentials.get_application_default()
    else:
        raise EnvironmentError(
            'No authentication library is available. Please install either '
            'google-auth or oauth2client.') 
Example 77
Project: gcp-slack-init   Author: symphco   File: _auth.py    MIT License 5 votes vote down vote up
def authorized_http(credentials):
    """Returns an http client that is authorized with the given credentials.

    Args:
        credentials (Union[
            google.auth.credentials.Credentials,
            oauth2client.client.Credentials]): The credentials to use.

    Returns:
        Union[httplib2.Http, google_auth_httplib2.AuthorizedHttp]: An
            authorized http client.
    """
    from googleapiclient.http import build_http

    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        if google_auth_httplib2 is None:
            raise ValueError(
                'Credentials from google.auth specified, but '
                'google-api-python-client is unable to use these credentials '
                'unless google-auth-httplib2 is installed. Please install '
                'google-auth-httplib2.')
        return google_auth_httplib2.AuthorizedHttp(credentials,
                                                   http=build_http())
    else:
        return credentials.authorize(build_http()) 
Example 78
Project: dsub   Author: DataBiosphere   File: google_base.py    Apache License 2.0 4 votes vote down vote up
def retry_api_check(exception, verbose):
  """Return True if we should retry. False otherwise.

  Args:
    exception: An exception to test for transience.
    verbose: If true, output retry messages

  Returns:
    True if we should retry. False otherwise.
  """
  if isinstance(exception, googleapiclient.errors.HttpError):
    if exception.resp.status in TRANSIENT_HTTP_ERROR_CODES:
      _print_retry_error(exception, verbose)
      return True

  if isinstance(exception, socket.error):
    if exception.errno in TRANSIENT_SOCKET_ERROR_CODES:
      _print_retry_error(exception, verbose)
      return True

  if isinstance(exception, google.auth.exceptions.RefreshError):
    _print_retry_error(exception, verbose)
    return True

  # For a given installation, this could be a permanent error, but has only
  # been observed as transient.
  if isinstance(exception, SSLError):
    _print_retry_error(exception, verbose)
    return True

  # This has been observed as a transient error:
  #   ServerNotFoundError: Unable to find the server at genomics.googleapis.com
  if isinstance(exception, ServerNotFoundError):
    _print_retry_error(exception, verbose)
    return True

  # Observed to be thrown transiently from auth libraries which use httplib2
  # Use the one from six because httlib no longer exists in Python3
  # https://docs.python.org/2/library/httplib.html
  if isinstance(exception, six.moves.http_client.ResponseNotReady):
    _print_retry_error(exception, verbose)
    return True

  return False 
Example 79
Project: pcml   Author: projectclarify   File: query.py    Apache License 2.0 4 votes vote down vote up
def get_service_account_token(client_id):
  """
  Get open id connect token for default service account.
  Returns:
    The open id connect token for default service account.
  """
  # Figure out what environment we're running in and get some preliminary
  # information about the service account.
  bootstrap_credentials, _ = google.auth.default(scopes=[IAM_SCOPE])
  if isinstance(bootstrap_credentials, google.oauth2.credentials.Credentials):
    raise Exception('make_iap_request is only supported for service '
                    'accounts.')
  elif isinstance(bootstrap_credentials, google.auth.app_engine.Credentials):
    requests_toolbelt.adapters.appengine.monkeypatch()

  # For service account's using the Compute Engine metadata service,
  # service_account_email isn't available until refresh is called.
  bootstrap_credentials.refresh(Request())

  signer_email = bootstrap_credentials.service_account_email
  if isinstance(bootstrap_credentials,
                google.auth.compute_engine.credentials.Credentials):
    # Since the Compute Engine metadata service doesn't expose the service
    # account key, we use the IAM signBlob API to sign instead.
    # In order for this to work:
    #
    # 1. Your VM needs the https://www.googleapis.com/auth/iam scope.
    #    You can specify this specific scope when creating a VM  through the API
    #    or gcloud. When using Cloud Console, you'll need to specify the
    #    "full access to all Cloud APIs" scope. A VM's scopes can only be
    #    specified at creation time.
    #
    # 2. The VM's default service account needs the "Service Account Actor"
    #    role. This can be found under the "Project" category in Cloud Console,
    #    or roles/iam.serviceAccountActor in gcloud.
    signer = google.auth.iam.Signer(Request(), bootstrap_credentials,
                                    signer_email)
  else:
    # A Signer object can sign a JWT using the service account's key.
    signer = bootstrap_credentials.signer

  # Construct OAuth 2.0 service account credentials using the signer and email
  # acquired from the bootstrap credentials.
  service_account_credentials = google.oauth2.service_account.Credentials(
      signer,
      signer_email,
      token_uri=OAUTH_TOKEN_URI,
      additional_claims={'target_audience': client_id})

  # service_account_credentials gives us a JWT signed by the service account.
  # Next, we use that to obtain an OpenID Connect token, which is a JWT signed
  # by Google.
  return get_google_open_id_connect_token(
      service_account_credentials), signer_email 
Example 80
Project: airflow   Author: apache   File: base.py    Apache License 2.0 4 votes vote down vote up
def _get_credentials_and_project_id(self) -> google.auth.credentials.Credentials:
        """
        Returns the Credentials object for Google API and the associated project_id
        """
        key_path = self._get_field('key_path', None)  # type: Optional[str]
        keyfile_dict = self._get_field('keyfile_dict', None)  # type: Optional[str]
        if not key_path and not keyfile_dict:
            self.log.info('Getting connection using `google.auth.default()` '
                          'since no key file is defined for hook.')
            credentials, project_id = google.auth.default(scopes=self.scopes)
        elif key_path:
            # Get credentials from a JSON file.
            if key_path.endswith('.json'):
                self.log.debug('Getting connection using JSON key file %s' % key_path)
                credentials = (
                    google.oauth2.service_account.Credentials.from_service_account_file(
                        key_path, scopes=self.scopes)
                )
                project_id = credentials.project_id
            elif key_path.endswith('.p12'):
                raise AirflowException('Legacy P12 key file are not supported, '
                                       'use a JSON key file.')
            else:
                raise AirflowException('Unrecognised extension for key file.')
        else:
            # Get credentials from JSON data provided in the UI.
            try:
                if not keyfile_dict:
                    raise ValueError("The keyfile_dict should be set")
                keyfile_dict_json: Dict[str, str] = json.loads(keyfile_dict)

                # Depending on how the JSON was formatted, it may contain
                # escaped newlines. Convert those to actual newlines.
                keyfile_dict_json['private_key'] = keyfile_dict_json['private_key'].replace(
                    '\\n', '\n')

                credentials = (
                    google.oauth2.service_account.Credentials.from_service_account_info(
                        keyfile_dict_json, scopes=self.scopes)
                )
                project_id = credentials.project_id
            except json.decoder.JSONDecodeError:
                raise AirflowException('Invalid key JSON.')

        if self.delegate_to:
            credentials = credentials.with_subject(self.delegate_to)

        overridden_project_id = self._get_field('project')
        if overridden_project_id:
            project_id = overridden_project_id

        return credentials, project_id