Lines Matching +full:application +full:- +full:default +full:- +full:credentials
6 Credentials and account types
7 -----------------------------
9 :class:`~credentials.Credentials` are the means of identifying an application or
10 user to a service or API. Credentials can be obtained with three different types
13 Credentials from service accounts identify a particular application. These types
14 of credentials are used in server-to-server use cases, such as accessing a
15 database. This library primarily focuses on service account credentials.
17 Credentials from user accounts are obtained by asking the user to authorize
18 access to their data. These types of credentials are used in cases where your
19 application needs access to a user's data in another service, such as accessing
21 obtaining user credentials, but does provide limited support for using user
22 credentials.
24 Credentials from external accounts (workload identity federation) are used to
25 identify a particular application from an on-prem or non-Google Cloud platform
29 Obtaining credentials
30 ---------------------
32 .. _application-default:
34 Application default credentials
37 `Google Application Default Credentials`_ abstracts authentication across the
40 installed, :func:`default` can automatically determine the credentials from the
45 credentials, project = google.auth.default()
47 If your application requires specific scopes::
49 credentials, project = google.auth.default(
50 scopes=['https://www.googleapis.com/auth/cloud-platform'])
52 Application Default Credentials also support workload identity federation to
53 access Google Cloud resources from non-Google Cloud platforms including Amazon
56 non-Google Cloud environments as it avoids the need to download, manage and
59 .. _Google Application Default Credentials:
61 application-default-credentials
68 A service account private key file can be used to obtain credentials for a
69 service account. You can create a private key using the `Credentials page of the
71 credentials one of three ways:
76 .. code-block:: bash
80 Then, use :ref:`application default credentials <application-default>`.
81 :func:`default` checks for the ``GOOGLE_APPLICATION_CREDENTIALS``
83 credentials you explicitly specify.
85 2. Use :meth:`service_account.Credentials.from_service_account_file
86 <google.oauth2.service_account.Credentials.from_service_account_file>`::
90 credentials = service_account.Credentials.from_service_account_file(
93 scoped_credentials = credentials.with_scopes(
94 ['https://www.googleapis.com/auth/cloud-platform'])
96 3. Use :meth:`service_account.Credentials.from_service_account_info
97 <google.oauth2.service_account.Credentials.from_service_account_info>`::
104 credentials = service_account.Credentials.from_service_account_info(
107 scoped_credentials = credentials.with_scopes(
108 ['https://www.googleapis.com/auth/cloud-platform'])
114 https://console.cloud.google.com/apis/credentials
120 Engine flexible environment`_ can obtain credentials provided by `Compute
122 credentials for the service account one of two ways:
124 1. Use :ref:`application default credentials <application-default>`.
125 :func:`default` will automatically detect if these credentials are available.
127 2. Use :class:`compute_engine.Credentials`::
131 credentials = compute_engine.Credentials()
134 .. _Container Engine: https://cloud.google.com/container-engine
138 https://cloud.google.com/compute/docs/access/service-accounts
144 credentials provided by the `App Engine App Identity API`_. You can obtain
145 credentials one of two ways:
147 1. Use :ref:`application default credentials <application-default>`.
148 :func:`default` will automatically detect if these credentials are available.
150 2. Use :class:`app_engine.Credentials`::
154 credentials = app_engine.Credentials()
157 credentials and transports provided by this library, you need to follow a few
161 in the `requests-toolbelt`_ library into your app, and enable the App Engine
167 - name: ssl
181 .. _requests-toolbelt:
184 https://cloud.google.com/appengine/docs/standard/python/issue-requests
186 User credentials
189 User credentials are typically obtained via `OAuth 2.0`_. This library does not
190 provide any direct support for *obtaining* user credentials, however, you can
191 use user credentials with this library. You can use libraries such as
193 can create a :class:`google.oauth2.credentials.Credentials` instance::
195 import google.oauth2.credentials
197 credentials = google.oauth2.credentials.Credentials(
201 URI to allow the credentials to be automatically refreshed::
203 credentials = google.oauth2.credentials.Credentials(
211 There is a separate library, `google-auth-oauthlib`_, that has some helpers
212 for integrating with `requests-oauthlib`_ to provide support for obtaining
213 user credentials. You can use
215 :class:`google.oauth2.credentials.Credentials` from a
223 2.0 Authorization Grant Flow to obtain credentials using `requests-oauthlib`_.
229 .. _google-auth-oauthlib:
230 https://pypi.python.org/pypi/google-auth-oauthlib
231 .. _requests-oauthlib:
232 https://requests-oauthlib.readthedocs.io/en/latest/
234 External credentials (Workload identity federation)
237 Using workload identity federation, your application can access Google Cloud
253 - A workload identity pool needs to be created.
254 - AWS needs to be added as an identity provider in the workload identity pool
256 - Permission to impersonate a service account needs to be granted to the
258 - A credential configuration file needs to be generated. Unlike service account
260 contain non-sensitive metadata to instruct the library on how to retrieve
267 https://cloud.google.com/iam/docs/access-resources-aws
275 - A workload identity pool needs to be created.
276 - Azure needs to be added as an identity provider in the workload identity pool
278 - The Azure tenant needs to be configured for identity federation.
279 - Permission to impersonate a service account needs to be granted to the
281 - A credential configuration file needs to be generated. Unlike service account
283 contain non-sensitive metadata to instruct the library on how to retrieve
290 https://cloud.google.com/iam/docs/access-resources-azure
298 - A workload identity pool needs to be created.
299 - An OIDC identity provider needs to be added in the workload identity pool
302 - Permission to impersonate a service account needs to be granted to the
304 - A credential configuration file needs to be generated. Unlike service account
306 contain non-sensitive metadata to instruct the library on how to retrieve
310 local file location (file-sourced credentials) or from a local server
311 (URL-sourced credentials).
313 - For file-sourced credentials, a background process needs to be continuously
317 - For URL-sourced credentials, a local server needs to host a GET endpoint to
327 https://cloud.google.com/iam/docs/access-resources-oidc
333 Application Default Credentials.
334 In order to use external identities with Application Default Credentials, you
335 need to generate the JSON credentials configuration file for your external
340 .. code-block:: bash
345 credentials from the context provided in the configuration file::
349 credentials, project = google.auth.default()
351 When using external identities with Application Default Credentials,
354 This is needed since :func:`default` will try to auto-discover the project ID
362 For Azure and OIDC providers, use :meth:`identity_pool.Credentials.from_info
363 <google.auth.identity_pool.Credentials.from_info>` or
364 :meth:`identity_pool.Credentials.from_file
365 <google.auth.identity_pool.Credentials.from_file>`::
372 credentials = identity_pool.Credentials.from_info(json_config_info)
373 scoped_credentials = credentials.with_scopes(
374 ['https://www.googleapis.com/auth/cloud-platform'])
376 For AWS providers, use :meth:`aws.Credentials.from_info
377 <google.auth.aws.Credentials.from_info>` or
378 :meth:`aws.Credentials.from_file
379 <google.auth.aws.Credentials.from_file>`::
386 credentials = aws.Credentials.from_info(json_config_info)
387 scoped_credentials = credentials.with_scopes(
388 ['https://www.googleapis.com/auth/cloud-platform'])
391 Impersonated credentials
394 Impersonated Credentials allows one set of credentials issued to a user or service account
395 to impersonate another. The source credentials must be granted
401 source_credentials = service_account.Credentials.from_service_account_file(
405 target_credentials = impersonated_credentials.Credentials(
407 target_principal='impersonated-account@_project_.iam.gserviceaccount.com',
410 client = storage.Client(credentials=target_credentials)
421 Downscoped credentials
425 Identity and Access Management (IAM) permissions that a short-lived credential
435 generate these downscoped credentials from higher access source credentials and
436 pass the downscoped short-lived access tokens to a token consumer via some
440 …Credential Access Boundaries: https://cloud.google.com/iam/docs/downscoping-short-lived-credentials
450 available_resource = '//storage.googleapis.com/projects/_/buckets/bucket-123'
453 "resource.name.startsWith('projects/_/buckets/bucket-123/objects/customer-a')"
465 # Retrieve the source credentials via ADC.
466 source_credentials, _ = google.auth.default()
468 # Create the downscoped credentials.
469 downscoped_credentials = downscoped.Credentials(
486 The broker will instantiate downscoped credentials instances that can be used to
489 `google.oauth2.Credentials` and used to initialize a storage client instance to
504 scopes=['https://www.googleapis.com/auth/cloud-platform'])
506 # Create the OAuth credentials from the downscoped token and pass a
510 credentials = google.oauth2.credentials.Credentials(
513 scopes=['https://www.googleapis.com/auth/cloud-platform'],
516 # Initialize a storage client with the oauth2 credentials.
518 project='my_project_id', credentials=credentials)
520 # The token broker has readonly access to objects starting with "customer-a"
521 # in bucket "bucket-123".
522 bucket = storage_client.bucket('bucket-123')
523 blob = bucket.blob('customer-a-data.txt')
524 print(blob.download_as_bytes().decode("utf-8"))
527 Another reason to use downscoped credentials is to ensure tokens in flight
530 # Create the downscoped credentials.
531 downscoped_credentials = downscoped.Credentials(
539 project='my_project_id', credentials=downscoped_credentials)
540 # If the source credentials have elevated levels of access, the
542 # starting with "customer-a" in bucket "bucket-123".
543 bucket = storage_client.bucket('bucket-123')
544 blob = bucket.blob('customer-a-data.txt')
595 If your application runs on `App Engine`_, `Cloud Run`_, `Compute Engine`_, or
596 has application default credentials set via `GOOGLE_APPLICATION_CREDENTIALS`
625 A sample end-to-end flow using an ID Token against a Cloud Run endpoint maybe ::
633 target_audience = 'https://your-cloud-run-app.a.run.app'
634 url = 'https://your-cloud-run-app.a.run.app'
660 -----------------------------
662 Once you have credentials you can attach them to a *transport*. You can then
663 use this transport to make authenticated requests to APIs. google-auth supports
664 several different transports. Typically, it's up to your application or an
676 authed_session = AuthorizedSession(credentials)
681 .. _Requests: http://docs.python-requests.org/en/master/
682 .. _Session: http://docs.python-requests.org/en/master/user/advanced/#session-objects
688 used with google-auth. urllib3's interface isn't as high-level as Requests but
695 authed_http = AuthorizedHttp(credentials)
706 authed_http = AuthorizedHttp(credentials, http)
712 google-auth can provide `Call Credentials`_ for gRPC. The easiest way to do
713 this is to use google-auth to create the gRPC channel::
721 credentials, http_request, 'pubsub.googleapis.com:443')
727 be used. Additionally, if you know that your credentials do not need to
729 :class:`jwt.Credentials`) then you can specify ``None``.
736 metadata_plugin = AuthMetadataPlugin(credentials, http_request)
742 # Create SSL channel credentials.
745 # Combine the ssl credentials and the authorization credentials.
760 pubsub_pb2.ListTopicsRequest(project='your-project'))
765 https://developers.google.com/protocol-buffers/docs/overview
768 .. _Call Credentials: