Google Cloud client library for kiarina namespace
Project description
kiarina-lib-google-auth
A Python library for Google Cloud authentication with configuration management using pydantic-settings-manager.
Features
- Multiple Authentication Methods: Default credentials (ADC), service accounts, and user accounts
- Service Account Impersonation: Delegated access with configurable scopes
- Configuration Management: Flexible configuration with pydantic-settings-manager
- Credentials Caching: Automatic caching and refresh for user accounts
- Self-Signed JWT: Generate JWTs for service account authentication
- Type Safety: Full type hints and Pydantic validation
Installation
pip install kiarina-lib-google-auth
Quick Start
Default Credentials (ADC)
from kiarina.lib.google.auth import get_credentials
# Uses Application Default Credentials
credentials = get_credentials()
Service Account
from kiarina.lib.google.auth import get_credentials, GoogleAuthSettings
# From key file
credentials = get_credentials(
settings=GoogleAuthSettings(
type="service_account",
service_account_file="~/path/to/key.json"
)
)
# From JSON data
credentials = get_credentials(
settings=GoogleAuthSettings(
type="service_account",
service_account_data='{"type":"service_account",...}'
)
)
User Account (OAuth2)
# From authorized user file
credentials = get_credentials(
settings=GoogleAuthSettings(
type="user_account",
authorized_user_file="~/.config/gcloud/application_default_credentials.json",
scopes=["https://www.googleapis.com/auth/drive"]
)
)
Service Account Impersonation
# Impersonate a service account
credentials = get_credentials(
settings=GoogleAuthSettings(
type="service_account",
service_account_file="~/source-key.json",
impersonate_service_account="target@project.iam.gserviceaccount.com",
scopes=["https://www.googleapis.com/auth/cloud-platform"]
)
)
Note: Source principal requires roles/iam.serviceAccountTokenCreator role.
Credentials Caching
from kiarina.lib.google.auth import CredentialsCache
class InMemoryCache(CredentialsCache):
def __init__(self):
self._cache: str | None = None
def get(self) -> str | None:
return self._cache
def set(self, value: str) -> None:
self._cache = value
# Use cache for user account credentials
credentials = get_credentials(
settings=GoogleAuthSettings(
type="user_account",
authorized_user_file="~/authorized-user.json",
scopes=["https://www.googleapis.com/auth/drive"]
),
cache=InMemoryCache()
)
Self-Signed JWT
from kiarina.lib.google.auth import get_self_signed_jwt
jwt_token = get_self_signed_jwt(
settings=GoogleAuthSettings(
type="service_account",
service_account_file="~/key.json"
),
audience="https://your-service.example.com/"
)
Configuration
YAML Configuration (Recommended)
kiarina.lib.google.auth:
development:
type: user_account
authorized_user_file: ~/.config/gcloud/application_default_credentials.json
scopes:
- https://www.googleapis.com/auth/cloud-platform
production:
type: service_account
service_account_file: /secrets/prod-sa-key.json
project_id: your-project-id
scopes:
- https://www.googleapis.com/auth/cloud-platform
impersonation:
type: service_account
service_account_file: ~/source-key.json
impersonate_service_account: target@project.iam.gserviceaccount.com
scopes:
- https://www.googleapis.com/auth/cloud-platform
Load configuration:
from pydantic_settings_manager import load_user_configs
import yaml
with open("config.yaml") as f:
config = yaml.safe_load(f)
load_user_configs(config)
# Use configured credentials
from kiarina.lib.google.auth import get_credentials
credentials = get_credentials("production")
Environment Variables
export KIARINA_LIB_GOOGLE_AUTH_TYPE="service_account"
export KIARINA_LIB_GOOGLE_AUTH_SERVICE_ACCOUNT_FILE="~/key.json"
export KIARINA_LIB_GOOGLE_AUTH_PROJECT_ID="your-project-id"
export KIARINA_LIB_GOOGLE_AUTH_SCOPES="https://www.googleapis.com/auth/cloud-platform"
Programmatic Configuration
from kiarina.lib.google.auth import settings_manager
settings_manager.user_config = {
"dev": {
"type": "user_account",
"authorized_user_file": "~/.config/gcloud/application_default_credentials.json"
},
"prod": {
"type": "service_account",
"service_account_file": "/secrets/key.json"
}
}
settings_manager.active_key = "prod"
credentials = get_credentials()
API Reference
Main Functions
get_credentials(settings_key=None, *, settings=None, scopes=None, cache=None)
Get Google Cloud credentials based on configuration.
Parameters:
settings_key(str | None): Configuration key for multi-config setupsettings(GoogleAuthSettings | None): Settings object (overrides settings_key)scopes(list[str] | None): OAuth2 scopes (overrides settings.scopes)cache(CredentialsCache | None): Credentials cache for user accounts
Returns: Credentials - Google Cloud credentials
get_self_signed_jwt(settings_key=None, *, settings=None, audience)
Generate a self-signed JWT for service account authentication.
Parameters:
settings_key(str | None): Configuration keysettings(GoogleAuthSettings | None): Settings objectaudience(str): JWT audience (target service URL)
Returns: str - Self-signed JWT token
Utility Functions
get_default_credentials()
Get default credentials using Application Default Credentials (ADC).
Returns: Credentials
get_service_account_credentials(*, service_account_file=None, service_account_data=None)
Get service account credentials from file or data.
Returns: google.oauth2.service_account.Credentials
get_user_account_credentials(*, authorized_user_file=None, authorized_user_data=None, scopes, cache=None)
Get user account credentials from file or data with optional caching.
Returns: google.oauth2.credentials.Credentials
Configuration
GoogleAuthSettings
Pydantic settings model for authentication configuration.
Key Fields:
type: Authentication type ("default","service_account","user_account")service_account_file: Path to service account key fileservice_account_data: Service account key data (JSON string, SecretStr)authorized_user_file: Path to authorized user fileauthorized_user_data: Authorized user data (JSON string, SecretStr)impersonate_service_account: Target service account email for impersonationscopes: OAuth2 scopes (default: cloud-platform, drive, spreadsheets)project_id: GCP project ID
Helper Methods:
get_service_account_data(): Parse service_account_data JSONget_client_secret_data(): Parse client_secret_data JSONget_authorized_user_data(): Parse authorized_user_data JSON
CredentialsCache (Protocol)
Protocol for implementing credentials cache.
Methods:
get() -> str | None: Retrieve cached credentials (JSON string)set(value: str) -> None: Store credentials (JSON string)
Authentication Priority
Default Credentials
Uses Application Default Credentials (ADC) in this order:
GOOGLE_APPLICATION_CREDENTIALSenvironment variable (service account)gcloud auth application-default logincredentials (user account)- Compute Engine metadata server (compute engine)
Default Scopes
https://www.googleapis.com/auth/cloud-platform- All GCP resourceshttps://www.googleapis.com/auth/drive- Google Drivehttps://www.googleapis.com/auth/spreadsheets- Google Sheets
Override by specifying custom scopes in configuration or function call.
Testing
Setup Test Configuration
# Copy sample configuration
cp packages/kiarina-lib-google-auth/test_settings.sample.yaml \
packages/kiarina-lib-google-auth/test_settings.yaml
# Edit with your credentials
# Set environment variable
export KIARINA_LIB_GOOGLE_AUTH_TEST_SETTINGS_FILE="packages/kiarina-lib-google-auth/test_settings.yaml"
Run Tests
# Run all checks
mise run package kiarina-lib-google-auth
# Run tests with coverage
mise run package:test kiarina-lib-google-auth --coverage
Dependencies
- google-api-python-client - Google API client
- pydantic-settings - Settings management
- pydantic-settings-manager - Advanced settings management
License
MIT License - see the LICENSE file for details.
Related Projects
- kiarina-python - Main monorepo
- pydantic-settings-manager - Configuration management library
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file kiarina_lib_google_auth-1.36.0.tar.gz.
File metadata
- Download URL: kiarina_lib_google_auth-1.36.0.tar.gz
- Upload date:
- Size: 10.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
84c55fe2ccbeaa11b45e05f34e511c4ee9d23d2eb37df111fb4dda95a037aef4
|
|
| MD5 |
d652d3256dd85dfd94ecccf41afefbaf
|
|
| BLAKE2b-256 |
661e4afc54b190b6312b5dc653e51a641cabe2beee39780e6f829b708892c338
|
File details
Details for the file kiarina_lib_google_auth-1.36.0-py3-none-any.whl.
File metadata
- Download URL: kiarina_lib_google_auth-1.36.0-py3-none-any.whl
- Upload date:
- Size: 10.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
831e185f4e9e76d4596beb53553bc5b05e154bc0c167b37c80673ca2c6226693
|
|
| MD5 |
c63c69a1a6d065ecbb2ee4bd7e25a8c7
|
|
| BLAKE2b-256 |
6d4dd8730bf4b267913e8ff2c050f5ba5fe890d86bba152929fc75df6c8e200a
|
