Last active
August 15, 2025 21:34
-
-
Save dhermes/22b16856a47d3f0719d5b006f07d5470 to your computer and use it in GitHub Desktop.
[2025-08-15] Proof-of-concept: impersonate service account (for signing) with Python `google-auth`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import datetime | |
| import os | |
| import google.auth | |
| import google.auth.compute_engine | |
| import google.auth.credentials | |
| import google.auth.impersonated_credentials | |
| import google.auth.transport.requests | |
| import google.cloud.storage | |
| import google.oauth2.credentials | |
| import google.oauth2.service_account | |
| _ENV_IMPERSONATE = "CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT" | |
| _EXAMPLE_BUCKET = "..." | |
| _EXAMPLE_BLOB = "..." | |
| def _get_machine_identity_email( | |
| credentials: google.auth.compute_engine.Credentials, project: str | |
| ) -> str: | |
| service_account_email = credentials.service_account_email | |
| if service_account_email != "default": | |
| return service_account_email | |
| return f"{project}@appspot.gserviceaccount.com" | |
| def _get_service_account_credentials() -> google.auth.credentials.Signing: | |
| credentials, project = google.auth.default() | |
| impersonate_target = os.environ.get(_ENV_IMPERSONATE) | |
| if isinstance(credentials, google.auth.compute_engine.Credentials): | |
| if impersonate_target is not None: | |
| raise RuntimeError( | |
| "Application default as machine identity not yet supported with impersonate" | |
| ) | |
| service_account_email = _get_machine_identity_email(credentials, project) | |
| id_token_credentials = google.auth.compute_engine.IDTokenCredentials( | |
| request=google.auth.transport.requests.Request(), | |
| target_audience="", | |
| service_account_email=service_account_email, | |
| ) | |
| return id_token_credentials | |
| if isinstance(credentials, google.oauth2.service_account.Credentials): | |
| if impersonate_target is not None: | |
| raise RuntimeError( | |
| "Application default as service account not yet supported with impersonate" | |
| ) | |
| return credentials | |
| if isinstance(credentials, google.oauth2.credentials.Credentials): | |
| if impersonate_target is None: | |
| raise RuntimeError(f"Must provide {_ENV_IMPERSONATE} environment variable") | |
| return google.auth.impersonated_credentials.Credentials( | |
| source_credentials=credentials, | |
| target_principal=impersonate_target, | |
| target_scopes=["https://www.googleapis.com/auth/cloud-platform"], | |
| ) | |
| raise NotImplementedError(type(credentials)) | |
| def main(): | |
| credentials = _get_service_account_credentials() | |
| print(credentials.service_account_email) | |
| signed = credentials.sign_bytes(b"s3kr!t") | |
| print(signed) | |
| client = google.cloud.storage.Client() | |
| bucket = client.bucket(_EXAMPLE_BUCKET) | |
| blob = bucket.blob(_EXAMPLE_BLOB) | |
| signed_url = blob.generate_signed_url( | |
| method="GET", | |
| expiration=datetime.timedelta(minutes=5), | |
| credentials=credentials, | |
| version="v2", | |
| ) | |
| print(signed_url) | |
| if __name__ == "__main__": | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment