diff options
author | David Buxton <david@gasmark6.com> | 2020-10-29 21:26:11 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-10-29 17:26:11 -0400 |
commit | 0323cf390b16e8483660ac88775e8ea4e7f7702d (patch) | |
tree | 06a7b283f94af73a9e1081072a0d0dff313187dd /google/auth/compute_engine/_metadata.py | |
parent | d0a47c10ca0ef1712b415b9d9c34118ab8b6cfee (diff) | |
download | google-auth-library-python-0323cf390b16e8483660ac88775e8ea4e7f7702d.tar.gz |
feat: Add custom scopes for access tokens from the metadata service (#633)
This works for App Engine, Cloud Run and Flex. On Compute Engine you
can request custom scopes, but they are ignored.
Co-authored-by: Tres Seaver <tseaver@palladion.com>
Co-authored-by: Bu Sun Kim <8822365+busunkim96@users.noreply.github.com>
Diffstat (limited to 'google/auth/compute_engine/_metadata.py')
-rw-r--r-- | google/auth/compute_engine/_metadata.py | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/google/auth/compute_engine/_metadata.py b/google/auth/compute_engine/_metadata.py index 94e4ffb..5687a42 100644 --- a/google/auth/compute_engine/_metadata.py +++ b/google/auth/compute_engine/_metadata.py @@ -234,7 +234,7 @@ def get_service_account_info(request, service_account="default"): return get(request, path, params={"recursive": "true"}) -def get_service_account_token(request, service_account="default"): +def get_service_account_token(request, service_account="default", scopes=None): """Get the OAuth 2.0 access token for a service account. Args: @@ -243,7 +243,8 @@ def get_service_account_token(request, service_account="default"): service_account (str): The string 'default' or a service account email address. The determines which service account for which to acquire an access token. - + scopes (Optional[Union[str, List[str]]]): Optional string or list of + strings with auth scopes. Returns: Union[str, datetime]: The access token and its expiration. @@ -251,9 +252,15 @@ def get_service_account_token(request, service_account="default"): google.auth.exceptions.TransportError: if an error occurred while retrieving metadata. """ - token_json = get( - request, "instance/service-accounts/{0}/token".format(service_account) - ) + if scopes: + if not isinstance(scopes, str): + scopes = ",".join(scopes) + params = {"scopes": scopes} + else: + params = None + + path = "instance/service-accounts/{0}/token".format(service_account) + token_json = get(request, path, params=params) token_expiry = _helpers.utcnow() + datetime.timedelta( seconds=token_json["expires_in"] ) |