aws.py - OpenGrok cross reference for /external/python/google-auth-library-python/google/auth/aws.py

Lines Matching +full:x +full:- +full:access +full:- +full:token
7 #      http://www.apache.org/licenses/LICENSE-2.0
17 This module provides credentials to access Google Cloud resources from Amazon
20 of long-live service account private keys.
27 file to retrieve credentials and exchange them for Google access tokens.
33 `AWS STS GetCallerIdentity`_ API that can be exchanged for Google access tokens
36 .. _AWS Signature Version 4: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
63 _AWS_ALGORITHM = "AWS4-HMAC-SHA256"
65 # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
67 # The AWS authorization header name for the security session token if available.
68 _AWS_SECURITY_TOKEN_HEADER = "x-amz-security-token"
69 # The AWS authorization header name for the auto-generated date.
70 _AWS_DATE_HEADER = "x-amz-date"
76     https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
149         # Add x-amz-date if available.
152         # Append additional optional headers, eg. X-Amz-Target, Content-Type, etc.
156         # Add session token if available.
169     https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
181         quote_key = urllib.parse.quote(key, safe="-_.~")
187                 urllib.parse.quote(item, safe="-_.~")
203     """Creates the HMAC-SHA256 hash of the provided message using the provided
207         key (str): The HMAC-SHA256 key to use.
213     return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()
219     https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
222         key (str): The AWS secret access key.
230     k_date = _sign(("AWS4" + key).encode("utf-8"), date_stamp)
258         access_key (str): The AWS access key ID.
259         secret_key (str): The AWS secret access key.
260         security_token (Optional[str]): The AWS security session token. This is
269             This contains the x-amz-date and authorization header information.
272     # sts.us-east-2.amazonaws.com host => sts service.
283     # Add AWS session token if available.
289     # Do not use generated x-amz-date if the date header is provided.
290     # Previously the date was not fixed with x-amz- and could be provided
292 …b/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-header-value-trim.req
306     payload_hash = hashlib.sha256((request_payload or "").encode("utf-8")).hexdigest()
308     # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
322     # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
327         hashlib.sha256(canonical_request.encode("utf-8")).hexdigest(),
330     # https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
333         signing_key, string_to_sign.encode("utf-8"), hashlib.sha256
336     # https://docs.aws.amazon.com/general/latest/gr/sigv4-add-signature-to-request.html
342     # Do not use generated x-amz-date if the date header is provided.
351     AWS STS GetCallerIdentity service for Google access tokens.
371             subject_token_type (str): The subject token type.
375                 to be exchanged for Google access tokens.
384                 Google client library. Use 'scopes' for user-defined scopes.
388                 access token retrieval logic.
435         """Retrieves the subject token using the credential_source object.
436         The subject token is a serialized `AWS GetCallerIdentity signed request`_.
441         environment variable or from the AWS metadata server availability-zone
445         from the AWS metadata server security-credentials endpoint.
448         security-credentials endpoint, the AWS role needs to be determined by
449         calling the security-credentials endpoint without any argument. Then the
450         credentials can be retrieved via: security-credentials/role_name
454         Inject x-goog-cloud-target-resource into header and serialize the
455         signed request. This will be the subject-token to pass to GCP STS.
458             https://cloud.google.com/iam/docs/access-resources-aws#exchange-token
464             str: The retrieved subject token.
484         #   {key: 'x-amz-date', value: '...'},
492         #   headers: [{key: 'x-amz-date', value: '...'}, ...]
499         request_headers["x-goog-cloud-target-resource"] = self._target_resource
552             response.data.decode("utf-8")
562         # This endpoint will return the region in format: us-east-2b.
563         # Only the us-east-2 part should be used.
564         return response_body[:-1]
584         # https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html
607             "security_token": credentials.get("Token"),
629         headers = {"Content-Type": "application/json"}
638             response.data.decode("utf-8")
677             response.data.decode("utf-8")
729         with io.open(filename, "r", encoding="utf-8") as json_file: