Utility library for GCP Application Default Credentials

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for salrashid123 from gravatar.com salrashid123

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License
  • Author: Sal Rashid
Classifiers
Report project as malware

Project description

Inspect Google Application Default Credentials Tokens

Simple script which prints out the principal/user currently enabled for Application Default Credentials

If you want a standalone script without importing the library, see the example/manual.py script in this repo

  • stsinspect.py
from gcp_adc_util.inspect import ADCInspect

p = ADCInspect()

print(p.getProjectID())
print(p.getPrincipal())

requires Python3.11+

User

gcloud auth application-default login

$ python3 stsinspect.py 
   admin@domain.com

With ServiceAccount JSON

$ export GOOGLE_APPLICATION_CREDENTIALS=/path/to/svc-account.json

$ python stsinspect.py 
svc-account@PROJECT.iam.gserviceaccount.com

With GCE Metadata Server

python3 stsinspect.py 
  708288290784-compute@developer.gserviceaccount.com

With GCE Metadata Server Emulator

https://github.com/salrashid123/gce_metadata_server

export GCE_METADATA_HOST=localhost:8080
python3 stsinspect.py

Workload Federation OIDC using curl

export BASIC_AUTH_HEADER="MzI1NTU5NDA1NTkuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb206Wm1zc0xOakp5Mjk5OGhENENUZzJlanIy"

STS_TOKEN_INSPECT=$(curl -s https://sts.googleapis.com/v1/token -H "Authorization: Basic $BASIC_AUTH_HEADER" \
    --data-urlencode "audience=//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$PROVIDER_ID" \
    --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
    --data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:access_token" \
    --data-urlencode "scope=https://www.googleapis.com/auth/cloud-platform" \
    --data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:jwt" \
    --data-urlencode "subject_token=$SUBJECT_TOKEN" | jq -r .access_token)
echo $STS_TOKEN_INSPECT

curl -s -H "Authorization: Basic $BASIC_AUTH_HEADER" -H "Content-Type: application/json" --data "{\"token\":\"$STS_TOKEN_INSPECT\"}" https://sts.googleapis.com/v1/introspect

Workload federation OIDC

see Simple GCP OIDC workload Federation using a fake oidc server

$ cat sts-creds.json 
{
  "universe_domain": "googleapis.com",
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/995081019036/locations/global/workloadIdentityPools/fake-oidc-pool-1/providers/fake-oidc-provider-1",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "file": "/tmp/oidccred.txt",
    "format": {
      "type": "text"
    }
  },
  "token_info_url": "https://sts.googleapis.com/v1/introspect"
}


$ export GOOGLE_APPLICATION_CREDENTIALS=`pwd`/sts-creds.json
$ python3 stsinspect.py 
   principal://iam.googleapis.com/projects/995081019036/locations/global/workloadIdentityPools/fake-oidc-pool-1/subject/alice@domain.com

Workload Federation mTLS

$ cat sts-creds-mtls.json 
{
  "universe_domain": "googleapis.com",
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/995081019036/locations/global/workloadIdentityPools/cert-pool-1/providers/cert-provider-1",
  "subject_token_type": "urn:ietf:params:oauth:token-type:mtls",
  "token_url": "https://sts.mtls.googleapis.com/v1/token",
  "credential_source": {
    "certificate": {
      "certificate_config_location": "/pat/to/cert_config.json"
    }
  },
  "token_info_url": "https://sts.mtls.googleapis.com/v1/introspect"
}

$ export GOOGLE_APPLICATION_CREDENTIALS=`pwd`/sts-creds-mtls.json
$ python3 stsinspect.py 
  principal://iam.googleapis.com/projects/995081019036/locations/global/workloadIdentityPools/cert-pool-1/subject/workload3

Workload Federation with service_account_impersonation_url

$ cat sts-creds-mtls-impersonation.json 
{
  "universe_domain": "googleapis.com",
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/995081019036/locations/global/workloadIdentityPools/cert-pool-1/providers/cert-provider-1",
  "subject_token_type": "urn:ietf:params:oauth:token-type:mtls",
  "token_url": "https://sts.mtls.googleapis.com/v1/token",
  "credential_source": {
    "certificate": {
      "certificate_config_location": "/path/to/cert_config.json"
    }
  },
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/wif-svc@core-eso.iam.gserviceaccount.com:generateAccessToken",
  "token_info_url": "https://sts.mtls.googleapis.com/v1/introspect"
}

$ export GOOGLE_APPLICATION_CREDENTIALS=`pwd`/sts-creds-mtls-impersonation.json

$ python3 stsinspect.py 
  wif-svc@core-eso.iam.gserviceaccount.com

Workforce Federation SAML

$ cat saml-creds.json 
{
  "universe_domain": "googleapis.com",
  "type": "external_account",
  "audience": "//iam.googleapis.com/locations/global/workforcePools/wfpool-saml/providers/wfprovider-saml",
  "subject_token_type": "urn:ietf:params:oauth:token-type:saml2",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "file": "/tmp/samlassertion.txt",
    "format": {
      "type": "text"
    }
  },
  "workforce_pool_user_project": "core-eso",
  "token_info_url": "https://sts.googleapis.com/v1/introspect"
}

$ export GOOGLE_APPLICATION_CREDENTIALS=`pwd`/saml-creds.json
$ python3 stsinspect.py 
  principal://iam.googleapis.com/locations/global/workforcePools/wfpool-saml/subject/alice@domain.com

Workload Federation with AWS

see GCP Workload Identity Federation using AWS Credentials

$ cat sts-creds-aws.json
{
    "universe_domain": "googleapis.com",    
    "type": "external_account",
    "audience": "//iam.googleapis.com/projects/995081019036/locations/global/workloadIdentityPools/aws-pool-1/providers/aws-provider-1",
    "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
    "token_url": "https://sts.googleapis.com/v1/token",
    "credential_source": {
      "environment_id": "aws1",
      "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
      "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
      "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
    },
    "token_info_url": "https://sts.googleapis.com/v1/introspect"    
}

export AWS_ACCESS_KEY_ID=AKIAUH-redacted
export AWS_SECRET_ACCESS_KEY=lIs-redacted
export AWS_DEFAULT_REGION=us-east-2

$  aws sts get-caller-identity
{
    "UserId": "AIDAUH-redacted",
    "Account": "291738886548",
    "Arn": "arn:aws:iam::291738886548:user/svcacct1"
}


$ export GOOGLE_APPLICATION_CREDENTIALS=`pwd`/sts-creds-aws.json
$ python3 stsinspect.py 
  principal://iam.googleapis.com/projects/995081019036/locations/global/workloadIdentityPools/aws-pool-1/subject/arn:aws:iam::291738886548:user/svcacct1

Workload Federation with Azure

see Exchange Google and Firebase OIDC tokens for Azure STS

TODO: incorporate into gcloud alias for Application Default Credentials

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for salrashid123 from gravatar.com salrashid123

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License
  • Author: Sal Rashid
Classifiers

Release history Release notifications | RSS feed

This version

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

gcp_adc_util-0.0.1.tar.gz (8.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

gcp_adc_util-0.0.1-py3-none-any.whl (9.3 kB view details)

Uploaded Python 3

File details

Details for the file gcp_adc_util-0.0.1.tar.gz.

File metadata

  • Download URL: gcp_adc_util-0.0.1.tar.gz
  • Upload date:
  • Size: 8.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.1 CPython/3.12.7

File hashes

Hashes for gcp_adc_util-0.0.1.tar.gz
Algorithm Hash digest
SHA256 61efcd9e59081a0314f0ce81858f08f551d60dd3a45829d22076d758cc93b6f8
MD5 34787d1d1ba44b0551b7b95abafe28fb
BLAKE2b-256 4677dd5daec257d8fe6e0b4407ddeb6d9b8371b4722a0227632b3a475af586dd

See more details on using hashes here.

Provenance

The following attestation bundles were made for gcp_adc_util-0.0.1.tar.gz:

Publisher: release.yml on salrashid123/gcp_adc_util

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file gcp_adc_util-0.0.1-py3-none-any.whl.

File metadata

  • Download URL: gcp_adc_util-0.0.1-py3-none-any.whl
  • Upload date:
  • Size: 9.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.1 CPython/3.12.7

File hashes

Hashes for gcp_adc_util-0.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 ba67128922fd962eac7a210c430cd2d6ed82fecbf6f81b82ec0a41af42c7d1df
MD5 32da4507bf83573977e616e73b587d91
BLAKE2b-256 b4aba9112787d24c6e9850d14f79b5c829ae30eea6aa08b15239727fd62e70e1

See more details on using hashes here.

Provenance

The following attestation bundles were made for gcp_adc_util-0.0.1-py3-none-any.whl:

Publisher: release.yml on salrashid123/gcp_adc_util

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page