feat: Support External Account Authorized User as a Source Credential…

… for impersonated credentials in ADC
googleapis · Oct 15, 2024 · ba81920 · ba81920
1 parent 484c8db
commit ba81920
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 1 deletion.
diff --git a/google/auth/_default.py b/google/auth/_default.py
@@ -472,6 +472,10 @@ def _get_impersonated_service_account_credentials(filename, info, scopes):
             source_credentials, _ = _get_service_account_credentials(
                 filename, source_credentials_info
             )
+        elif source_credentials_type == _EXTERNAL_ACCOUNT_AUTHORIZED_USER_TYPE:
+            source_credentials, _ = _get_external_account_authorized_user_credentials(
+                filename, source_credentials_info
+            )
         else:
             raise exceptions.InvalidType(
                 "source credential of type {} is not supported.".format(
@@ -493,7 +497,7 @@ def _get_impersonated_service_account_credentials(filename, info, scopes):
             target_principal,
             scopes,
             delegates,
-            quota_project_id=quota_project_id,
+            quota_project_id=quota_project_id
         )
     except ValueError as caught_exc:
         msg = "Failed to load impersonated service account credentials from {}".format(

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
diff --git a/tests/data/impersonated_service_account_external_account_authorized_user_source.json b/tests/data/impersonated_service_account_external_account_authorized_user_source.json
@@ -0,0 +1,16 @@
+{
+    "delegates": [
+        "service-account-delegate@example.com"
+    ],
+    "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/service-account-target@example.com:generateAccessToken",
+    "source_credentials": {
+        "type": "external_account_authorized_user",
+        "audience": "//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID",
+        "refresh_token": "refreshToken",
+        "token_url": "https://sts.googleapis.com/v1/oauth/token",
+        "token_info_url": "https://sts.googleapis.com/v1/instrospect",
+        "client_id": "clientId",
+        "client_secret": "clientSecret"
+    },
+    "type": "impersonated_service_account"
+}
diff --git a/tests/test__default.py b/tests/test__default.py
@@ -153,6 +153,10 @@
     DATA_DIR, "impersonated_service_account_service_account_source.json"
 )
 
+IMPERSONATED_SERVICE_ACCOUNT_EXTERNAL_ACCOUNT_AUTHORIZED_USER_SOURCE_FILE = os.path.join(
+    DATA_DIR, "impersonated_service_account_external_account_authorized_user_source.json"
+)
+
 EXTERNAL_ACCOUNT_AUTHORIZED_USER_FILE = os.path.join(
     DATA_DIR, "external_account_authorized_user.json"
 )
@@ -365,6 +369,15 @@ def test_load_credentials_from_file_impersonated_with_service_account_source():
     assert not credentials._quota_project_id
 
 
+def test_load_credentials_from_file_impersonated_with_external_account_authorized_user_source():
+    credentials, _ = _default.load_credentials_from_file(
+        IMPERSONATED_SERVICE_ACCOUNT_EXTERNAL_ACCOUNT_AUTHORIZED_USER_SOURCE_FILE
+    )
+    assert isinstance(credentials, impersonated_credentials.Credentials)
+    assert isinstance(credentials._source_credentials, external_account_authorized_user.Credentials)
+    assert not credentials._quota_project_id
+
+
 def test_load_credentials_from_file_impersonated_passing_quota_project():
     credentials, _ = _default.load_credentials_from_file(
         IMPERSONATED_SERVICE_ACCOUNT_SERVICE_ACCOUNT_SOURCE_FILE,