Identity and Access Management

See the official GCP IAM API documentation here: link.

class bibt.gcp.iam.classes.Client(credentials=None)[source]

A credentials client may be used to generate access tokens and credentials object compatible with Google APIs.

Parameters:

credentials (google.oauth2.credentials.Credentials) – A credentials object to override the default behavior of attempting to create credentials using the inferred gcloud environment. You probably do NOT need to supply this in most cases. Defaults to None.

get_access_token(target_acct, scopes=['https://www.googleapis.com/auth/cloud-platform'])[source]

Generates an access token for a target service account which may be used to impersonate that service account in API calls. Requires the calling account have the “Service Account Token Creator” role on the target account.

from bibt.gcp import iam
from google.oauth2 import credentials
def main(event, context):
    client = iam.Client()
    token = client.get_access_token(
        target_acct="myserviceaccount@myproject.iam.gserviceaccount.com"
    )
    api_creds = credentials.Credentials(token=token)
    storage_client = storage.Client(credentials=api_creds)
    storage_client.get_bucket("mybucket")
Parameters:

  • target_acct (str) – the email address of the account to impersonate.

  • scopes (list) – the scopes to request for the token. by default, will be set to ["https://www.googleapis.com/auth/cloud-platform"] which should be sufficient for most uses cases.

Return type:

str

Returns:

an access token with can be used to generate credentials for Google APIs.

get_credentials(target_acct, scopes=['https://www.googleapis.com/auth/cloud-platform'], source_credentials=None, lifetime=3600)[source]

Generates a credentials object for a target service account which may be used to impersonate that service account in API calls. Requires the calling account have the “Service Account Token Creator” role on the target account. This version takes care of credentials object creation for you.

from bibt.gcp import iam
from google.oauth2 import credentials
def main(event, context):
    client = iam.Client()
    api_creds = client.get_credentials(
        target_acct="myserviceaccount@myproject.iam.gserviceaccount.com"
    )
    storage_client = storage.Client(credentials=api_creds)
    storage_client.get_bucket("mybucket")
Parameters:

  • target_acct (str) – the email address of the account to impersonate.

  • scopes (list) – the scopes to request for the token. by default, will be set to ["https://www.googleapis.com/auth/cloud-platform"] which should be sufficient for most uses cases.

  • source_credentials (google.oauth2.credentials.Credentials) – The credentials of the source account attempting to impersonate the target account. If not supplied, default() is used.

  • lifetime (int) – For how long the credentials should be valid, in seconds.

Return type:

google.oauth2.credentials.Credentials

Returns:

a credentials object with can be used for authentication with Google APIs.