feat: use self-signed jwt for service account #665
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
google-cla
bot
added
the
cla: yes
busunkim96
commented
Jan 12, 2021
| @@ -277,7 +286,7 @@ class Scoped(ReadOnlyScoped): | |||
| """ | |||
|
|
|||
| @abc.abstractmethod | |||
| def with_scopes(self, scopes): | |||
| def with_scopes(self, scopes, default_scopes=None): | |||
There was a problem hiding this comment.
Is adding an additional optional parameter to an abstract method a breaking change?
There was a problem hiding this comment.
busunkim96
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
bshaffer
reviewed
Jan 19, 2021
…ibrary-python into self-signed-jwt
bshaffer
approved these changes
Jan 20, 2021
busunkim96
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
|
Looks like I accidentally removed the system tests from the presubmit last year 🤦♀️ . I was hoping it would be a small fix but it looks like some issues have piled up. I'll pull those changes into a separate PR and revisit this one later. |
busunkim96
added
the
automerge
gcf-merge-on-green
bot
removed
the
automerge
This was referenced Feb 3, 2021
gcf-merge-on-green bot
pushed a commit
to googleapis/python-spanner
that referenced
this pull request
Feb 5, 2021
The assertions for credential scope in the `client` unit tests were broken by [a PR in the auth library](googleapis/google-auth-library-python#665). This does raise the question of whether we should be asserting the scopes like this in this library. This PR fixes the assertions. Removal of these assertions can be done in a separate PR if it is decided they don't belong in this library.
busunkim96
added a commit
to googleapis/gapic-generator-python
that referenced
this pull request
Apr 21, 2021
See [RFC (internal only)](https://docs.google.com/document/d/1SNCVTmW6Rtr__u-_V7nsT9PhSzjj1z0P9fAD3YUgRoc/edit#) and https://aip.dev/auth/4111. Support the self-signed JWT flow for service accounts by passing `default_scopes` and `default_host` in calls to the auth library and `create_channel`. This depends on features exposed in the following PRs: googleapis/python-api-core#134, googleapis/google-auth-library-python#665. It may be easier to look at https://github.com/googleapis/python-translate/pull/107/files for a diff on a real library. This change is written so that the library is (temporarily) compatible with older `google-api-core` and `google-auth` versions. Because of this it not possible to reach 100% coverage on a single unit test run. `pytest` runs twice in two of the `nox` sessions. Miscellaneous changes: - sprinkled in `__init__.py` files in subdirs of the `test/` directory, as otherwise pytest-cov seems to fail to collect coverage properly in some instances. - new dependency on `packaging` for Version comparison https://pypi.org/project/packaging/ Co-authored-by: Brent Shaffer <betterbrent@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://google.aip.dev/auth/4111
Googlers see this doc for detailed design.
Create a self-signed JWT from the service account credentials when the following conditions are met:
default_scopesthat is separate fromscopes).api_endpointhas not been set by the user (taken care of in the GAPIC client library).Other Changes:
default_scopesto allScopedCredentials. For non-service account credentials, thedefault_scopesare used whenscopesis not set. Otherwise thedefault_scopesare ignored.This change is only being made to synchronous credentials and the gRPC transport. The async credentials and other transports will be handled in follow up PRs.