google-auth-plugins 1.0.1rc0

A set of custom plugins for Google Authentication Library

Google Auth Plugins Python Library

This library (built on top of Google's official SDK) aims to provide features not implemented by the standard library for whatever reason.

Common reason is that the latter is not a priority in the SDK's roadmap.

⚠️ This project doesn't want or plan to replace the official SDK but rather to be a space for experimentation providing beta features (because security does have to wait).

I hope that the features available in this repo will be integrated in the official library for the common good.

Index

• Main difference with google-auth
• Installation
• Usage
  • Domain-wide delegation credentials
• Tests

Main difference with google-auth

For security reasons, this project will always drop support for a python version as soon as security support ends.

As an example, the version 2.16.1 of google-auth launched on 2023-02-17 still supports python3.6^1.

Installation

google-auth-plugins requires Python 3.7 or newer, and can be installed directly via pip:

python3 -m venv venv && source venv/bin/activate
python -m pip install google-auth-plugins

Usage

Domain-wide delegation credentials

A bit of context

As stated in this issue currently it's not possible to produce a delegated credentials via an impersonated identity.

To put it another way, today the only way to obtain those credentials is with a service account key 🤯.

Given the importance of this kind of service accounts it seems relevant to limit as much as possible long-term credentials in order to protect against leaks.

Domain-wide delegation credentials allows that.

Please find below an example:

import google.auth
from google_auth_plugins import dwd_credentials

target_scopes = ['https://www.googleapis.com/auth/calendar.readonly']
subject = "john.doe@pamplemousse.com"

# The impersonated service account must grant `Service Account Token Creator` to the identity represented by source_credentials
source_credentials, _ = google.auth.default()

delegated_credentials = dwd_credentials.Credentials(
  subject=subject,
  source_credentials=source_credentials,
  target_principal='dwd-impersonated-account@_project_.iam.gserviceaccount.com',
  target_scopes = target_scopes,
)

Alternatively, if source_credentials is the service account with domain-wide delegation, you can skip target_principal definition.

source_credentials, _ = google.auth.default()

delegated_credentials = dwd_credentials.Credentials(
  subject=subject,
  source_credentials=source_credentials,
  target_scopes = target_scopes,
)

Finally, you can switch delegated credentials as defined below:

alice_delegated_creds = dwd_credentials.Credentials(
  subject="alice@example.com",
  source_credentials=source_credentials,
  target_scopes = target_scopes,
)

bob_delegated_creds = alice_delegated_creds.with_subject("bob@example.com")

Note: this module is heavily inspired by Johannes Passing blog post 🚀.

Tests

make test