diff --git a/.github/.OwlBot.lock.yaml b/.github/.OwlBot.lock.yaml
index 4ef4414..e2b39f9 100644
--- a/.github/.OwlBot.lock.yaml
+++ b/.github/.OwlBot.lock.yaml
@@ -1,3 +1,3 @@
docker:
image: gcr.io/repo-automation-bots/owlbot-python:latest
- digest: sha256:c66ba3c8d7bc8566f47df841f98cd0097b28fff0b1864c86f5817f4c8c3e8600
\ No newline at end of file
+ digest: sha256:99d90d097e4a4710cc8658ee0b5b963f4426d0e424819787c3ac1405c9a26719
diff --git a/.kokoro/samples/python3.9/common.cfg b/.kokoro/samples/python3.9/common.cfg
new file mode 100644
index 0000000..f3fd3f7
--- /dev/null
+++ b/.kokoro/samples/python3.9/common.cfg
@@ -0,0 +1,40 @@
+# Format: //devtools/kokoro/config/proto/build.proto
+
+# Build logs will be here
+action {
+ define_artifacts {
+ regex: "**/*sponge_log.xml"
+ }
+}
+
+# Specify which tests to run
+env_vars: {
+ key: "RUN_TESTS_SESSION"
+ value: "py-3.9"
+}
+
+# Declare build specific Cloud project.
+env_vars: {
+ key: "BUILD_SPECIFIC_GCLOUD_PROJECT"
+ value: "python-docs-samples-tests-py39"
+}
+
+env_vars: {
+ key: "TRAMPOLINE_BUILD_FILE"
+ value: "github/python-iam/.kokoro/test-samples.sh"
+}
+
+# Configure the docker image for kokoro-trampoline.
+env_vars: {
+ key: "TRAMPOLINE_IMAGE"
+ value: "gcr.io/cloud-devrel-kokoro-resources/python-samples-testing-docker"
+}
+
+# Download secrets for samples
+gfile_resources: "/bigstore/cloud-devrel-kokoro-resources/python-docs-samples"
+
+# Download trampoline resources.
+gfile_resources: "/bigstore/cloud-devrel-kokoro-resources/trampoline"
+
+# Use the trampoline script to run in docker.
+build_file: "python-iam/.kokoro/trampoline.sh"
\ No newline at end of file
diff --git a/.kokoro/samples/python3.9/continuous.cfg b/.kokoro/samples/python3.9/continuous.cfg
new file mode 100644
index 0000000..a1c8d97
--- /dev/null
+++ b/.kokoro/samples/python3.9/continuous.cfg
@@ -0,0 +1,6 @@
+# Format: //devtools/kokoro/config/proto/build.proto
+
+env_vars: {
+ key: "INSTALL_LIBRARY_FROM_SOURCE"
+ value: "True"
+}
\ No newline at end of file
diff --git a/.kokoro/samples/python3.9/periodic-head.cfg b/.kokoro/samples/python3.9/periodic-head.cfg
new file mode 100644
index 0000000..f9cfcd3
--- /dev/null
+++ b/.kokoro/samples/python3.9/periodic-head.cfg
@@ -0,0 +1,11 @@
+# Format: //devtools/kokoro/config/proto/build.proto
+
+env_vars: {
+ key: "INSTALL_LIBRARY_FROM_SOURCE"
+ value: "True"
+}
+
+env_vars: {
+ key: "TRAMPOLINE_BUILD_FILE"
+ value: "github/python-pubsub/.kokoro/test-samples-against-head.sh"
+}
diff --git a/.kokoro/samples/python3.9/periodic.cfg b/.kokoro/samples/python3.9/periodic.cfg
new file mode 100644
index 0000000..50fec96
--- /dev/null
+++ b/.kokoro/samples/python3.9/periodic.cfg
@@ -0,0 +1,6 @@
+# Format: //devtools/kokoro/config/proto/build.proto
+
+env_vars: {
+ key: "INSTALL_LIBRARY_FROM_SOURCE"
+ value: "False"
+}
\ No newline at end of file
diff --git a/.kokoro/samples/python3.9/presubmit.cfg b/.kokoro/samples/python3.9/presubmit.cfg
new file mode 100644
index 0000000..a1c8d97
--- /dev/null
+++ b/.kokoro/samples/python3.9/presubmit.cfg
@@ -0,0 +1,6 @@
+# Format: //devtools/kokoro/config/proto/build.proto
+
+env_vars: {
+ key: "INSTALL_LIBRARY_FROM_SOURCE"
+ value: "True"
+}
\ No newline at end of file
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 4f00c7c..62eb5a7 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -16,7 +16,7 @@
# See https://pre-commit.com/hooks.html for more hooks
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v3.4.0
+ rev: v4.0.1
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4a38abc..c608a60 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,23 @@
[1]: https://pypi.org/project/google-cloud-iam/#history
+## [2.3.0](https://www.github.com/googleapis/python-iam/compare/v2.2.0...v2.3.0) (2021-07-01)
+
+
+### Features
+
+* add always_use_jwt_access ([#89](https://www.github.com/googleapis/python-iam/issues/89)) ([cc322f9](https://www.github.com/googleapis/python-iam/commit/cc322f9642b8afe847e42ece1cd778ab27c94b72))
+
+
+### Bug Fixes
+
+* disable always_use_jwt_access ([#93](https://www.github.com/googleapis/python-iam/issues/93)) ([0880d9a](https://www.github.com/googleapis/python-iam/commit/0880d9adc2a7737edae905e3f11b4bd9b6ad5331))
+
+
+### Documentation
+
+* omit mention of Python 2.7 in 'CONTRIBUTING.rst' ([#1127](https://www.github.com/googleapis/python-iam/issues/1127)) ([#84](https://www.github.com/googleapis/python-iam/issues/84)) ([b30f69e](https://www.github.com/googleapis/python-iam/commit/b30f69eec8ade3087652d34013e7a55c05bbe6dd))
+
## [2.2.0](https://www.github.com/googleapis/python-iam/compare/v2.1.0...v2.2.0) (2021-05-28)
diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
index ef181ca..91355a5 100644
--- a/CONTRIBUTING.rst
+++ b/CONTRIBUTING.rst
@@ -68,15 +68,12 @@ Using ``nox``
We use `nox `__ to instrument our tests.
- To test your changes, run unit tests with ``nox``::
+ $ nox -s unit
- $ nox -s unit-2.7
- $ nox -s unit-3.8
- $ ...
+- To run a single unit test::
-- Args to pytest can be passed through the nox command separated by a `--`. For
- example, to run a single test::
+ $ nox -s unit-3.9 -- -k
- $ nox -s unit-3.8 -- -k
.. note::
@@ -143,8 +140,7 @@ Running System Tests
- To run system tests, you can execute::
# Run all system tests
- $ nox -s system-3.8
- $ nox -s system-2.7
+ $ nox -s system
# Run a single system test
$ nox -s system-3.8 -- -k
@@ -152,9 +148,8 @@ Running System Tests
.. note::
- System tests are only configured to run under Python 2.7 and
- Python 3.8. For expediency, we do not run them in older versions
- of Python 3.
+ System tests are only configured to run under Python 3.8.
+ For expediency, we do not run them in older versions of Python 3.
This alone will not run the tests. You'll need to change some local
auth settings and change some configuration in your project to
@@ -218,8 +213,8 @@ Supported versions can be found in our ``noxfile.py`` `config`_.
.. _config: https://github.com/googleapis/python-iam/blob/master/noxfile.py
-We also explicitly decided to support Python 3 beginning with version
-3.6. Reasons for this include:
+We also explicitly decided to support Python 3 beginning with version 3.6.
+Reasons for this include:
- Encouraging use of newest versions of Python 3
- Taking the lead of `prominent`_ open-source `projects`_
diff --git a/docs/conf.py b/docs/conf.py
index 2350bb9..784edef 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -80,9 +80,9 @@
master_doc = "index"
# General information about the project.
-project = u"google-cloud-iam"
-copyright = u"2019, Google"
-author = u"Google APIs"
+project = "google-cloud-iam"
+copyright = "2019, Google"
+author = "Google APIs"
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
@@ -281,7 +281,7 @@
(
master_doc,
"google-cloud-iam.tex",
- u"google-cloud-iam Documentation",
+ "google-cloud-iam Documentation",
author,
"manual",
)
@@ -313,7 +313,7 @@
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
- (master_doc, "google-cloud-iam", u"google-cloud-iam Documentation", [author], 1,)
+ (master_doc, "google-cloud-iam", "google-cloud-iam Documentation", [author], 1,)
]
# If true, show URL addresses after external links.
@@ -329,7 +329,7 @@
(
master_doc,
"google-cloud-iam",
- u"google-cloud-iam Documentation",
+ "google-cloud-iam Documentation",
author,
"google-cloud-iam",
"google-cloud-iam Library",
diff --git a/google/cloud/iam_credentials_v1/proto/common.proto b/google/cloud/iam_credentials_v1/proto/common.proto
deleted file mode 100644
index 045a0df..0000000
--- a/google/cloud/iam_credentials_v1/proto/common.proto
+++ /dev/null
@@ -1,189 +0,0 @@
-// Copyright 2020 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package google.iam.credentials.v1;
-
-import "google/api/field_behavior.proto";
-import "google/api/resource.proto";
-import "google/protobuf/duration.proto";
-import "google/protobuf/timestamp.proto";
-
-option cc_enable_arenas = true;
-option csharp_namespace = "Google.Cloud.Iam.Credentials.V1";
-option go_package = "google.golang.org/genproto/googleapis/iam/credentials/v1;credentials";
-option java_multiple_files = true;
-option java_outer_classname = "IAMCredentialsCommonProto";
-option java_package = "com.google.cloud.iam.credentials.v1";
-option (google.api.resource_definition) = {
- type: "iam.googleapis.com/ServiceAccount"
- pattern: "projects/{project}/serviceAccounts/{service_account}"
-};
-
-message GenerateAccessTokenRequest {
- // Required. The resource name of the service account for which the credentials
- // are requested, in the following format:
- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
- // character is required; replacing it with a project ID is invalid.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "iam.googleapis.com/ServiceAccount"
- }
- ];
-
- // The sequence of service accounts in a delegation chain. Each service
- // account must be granted the `roles/iam.serviceAccountTokenCreator` role
- // on its next service account in the chain. The last service account in the
- // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
- // on the service account that is specified in the `name` field of the
- // request.
- //
- // The delegates must have the following format:
- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
- // character is required; replacing it with a project ID is invalid.
- repeated string delegates = 2;
-
- // Required. Code to identify the scopes to be included in the OAuth 2.0 access token.
- // See https://developers.google.com/identity/protocols/googlescopes for more
- // information.
- // At least one value required.
- repeated string scope = 4 [(google.api.field_behavior) = REQUIRED];
-
- // The desired lifetime duration of the access token in seconds.
- // Must be set to a value less than or equal to 3600 (1 hour). If a value is
- // not specified, the token's lifetime will be set to a default value of one
- // hour.
- google.protobuf.Duration lifetime = 7;
-}
-
-message GenerateAccessTokenResponse {
- // The OAuth 2.0 access token.
- string access_token = 1;
-
- // Token expiration time.
- // The expiration time is always set.
- google.protobuf.Timestamp expire_time = 3;
-}
-
-message SignBlobRequest {
- // Required. The resource name of the service account for which the credentials
- // are requested, in the following format:
- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
- // character is required; replacing it with a project ID is invalid.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "iam.googleapis.com/ServiceAccount"
- }
- ];
-
- // The sequence of service accounts in a delegation chain. Each service
- // account must be granted the `roles/iam.serviceAccountTokenCreator` role
- // on its next service account in the chain. The last service account in the
- // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
- // on the service account that is specified in the `name` field of the
- // request.
- //
- // The delegates must have the following format:
- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
- // character is required; replacing it with a project ID is invalid.
- repeated string delegates = 3;
-
- // Required. The bytes to sign.
- bytes payload = 5 [(google.api.field_behavior) = REQUIRED];
-}
-
-message SignBlobResponse {
- // The ID of the key used to sign the blob.
- string key_id = 1;
-
- // The signed blob.
- bytes signed_blob = 4;
-}
-
-message SignJwtRequest {
- // Required. The resource name of the service account for which the credentials
- // are requested, in the following format:
- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
- // character is required; replacing it with a project ID is invalid.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "iam.googleapis.com/ServiceAccount"
- }
- ];
-
- // The sequence of service accounts in a delegation chain. Each service
- // account must be granted the `roles/iam.serviceAccountTokenCreator` role
- // on its next service account in the chain. The last service account in the
- // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
- // on the service account that is specified in the `name` field of the
- // request.
- //
- // The delegates must have the following format:
- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
- // character is required; replacing it with a project ID is invalid.
- repeated string delegates = 3;
-
- // Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
- string payload = 5 [(google.api.field_behavior) = REQUIRED];
-}
-
-message SignJwtResponse {
- // The ID of the key used to sign the JWT.
- string key_id = 1;
-
- // The signed JWT.
- string signed_jwt = 2;
-}
-
-message GenerateIdTokenRequest {
- // Required. The resource name of the service account for which the credentials
- // are requested, in the following format:
- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
- // character is required; replacing it with a project ID is invalid.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "iam.googleapis.com/ServiceAccount"
- }
- ];
-
- // The sequence of service accounts in a delegation chain. Each service
- // account must be granted the `roles/iam.serviceAccountTokenCreator` role
- // on its next service account in the chain. The last service account in the
- // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
- // on the service account that is specified in the `name` field of the
- // request.
- //
- // The delegates must have the following format:
- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
- // character is required; replacing it with a project ID is invalid.
- repeated string delegates = 2;
-
- // Required. The audience for the token, such as the API or account that this token
- // grants access to.
- string audience = 3 [(google.api.field_behavior) = REQUIRED];
-
- // Include the service account email in the token. If set to `true`, the
- // token will contain `email` and `email_verified` claims.
- bool include_email = 4;
-}
-
-message GenerateIdTokenResponse {
- // The OpenId Connect ID token.
- string token = 1;
-}
diff --git a/google/cloud/iam_credentials_v1/proto/iamcredentials.proto b/google/cloud/iam_credentials_v1/proto/iamcredentials.proto
deleted file mode 100644
index b5dcae8..0000000
--- a/google/cloud/iam_credentials_v1/proto/iamcredentials.proto
+++ /dev/null
@@ -1,78 +0,0 @@
-// Copyright 2020 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package google.iam.credentials.v1;
-
-import "google/api/annotations.proto";
-import "google/api/client.proto";
-import "google/iam/credentials/v1/common.proto";
-
-option cc_enable_arenas = true;
-option csharp_namespace = "Google.Cloud.Iam.Credentials.V1";
-option go_package = "google.golang.org/genproto/googleapis/iam/credentials/v1;credentials";
-option java_multiple_files = true;
-option java_outer_classname = "IAMCredentialsProto";
-option java_package = "com.google.cloud.iam.credentials.v1";
-
-// A service account is a special type of Google account that belongs to your
-// application or a virtual machine (VM), instead of to an individual end user.
-// Your application assumes the identity of the service account to call Google
-// APIs, so that the users aren't directly involved.
-//
-// Service account credentials are used to temporarily assume the identity
-// of the service account. Supported credential types include OAuth 2.0 access
-// tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and
-// more.
-service IAMCredentials {
- option (google.api.default_host) = "iamcredentials.googleapis.com";
- option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
-
- // Generates an OAuth 2.0 access token for a service account.
- rpc GenerateAccessToken(GenerateAccessTokenRequest) returns (GenerateAccessTokenResponse) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/serviceAccounts/*}:generateAccessToken"
- body: "*"
- };
- option (google.api.method_signature) = "name,delegates,scope,lifetime";
- }
-
- // Generates an OpenID Connect ID token for a service account.
- rpc GenerateIdToken(GenerateIdTokenRequest) returns (GenerateIdTokenResponse) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/serviceAccounts/*}:generateIdToken"
- body: "*"
- };
- option (google.api.method_signature) = "name,delegates,audience,include_email";
- }
-
- // Signs a blob using a service account's system-managed private key.
- rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob"
- body: "*"
- };
- option (google.api.method_signature) = "name,delegates,payload";
- }
-
- // Signs a JWT using a service account's system-managed private key.
- rpc SignJwt(SignJwtRequest) returns (SignJwtResponse) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt"
- body: "*"
- };
- option (google.api.method_signature) = "name,delegates,payload";
- }
-}
diff --git a/google/cloud/iam_credentials_v1/services/iam_credentials/transports/base.py b/google/cloud/iam_credentials_v1/services/iam_credentials/transports/base.py
index 7eeca28..4ca25c0 100644
--- a/google/cloud/iam_credentials_v1/services/iam_credentials/transports/base.py
+++ b/google/cloud/iam_credentials_v1/services/iam_credentials/transports/base.py
@@ -24,6 +24,7 @@
from google.api_core import gapic_v1 # type: ignore
from google.api_core import retry as retries # type: ignore
from google.auth import credentials as ga_credentials # type: ignore
+from google.oauth2 import service_account # type: ignore
from google.cloud.iam_credentials_v1.types import common
@@ -43,8 +44,6 @@
except pkg_resources.DistributionNotFound: # pragma: NO COVER
_GOOGLE_AUTH_VERSION = None
-_API_CORE_VERSION = google.api_core.__version__
-
class IAMCredentialsTransport(abc.ABC):
"""Abstract transport class for IAMCredentials."""
@@ -62,6 +61,7 @@ def __init__(
scopes: Optional[Sequence[str]] = None,
quota_project_id: Optional[str] = None,
client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO,
+ always_use_jwt_access: Optional[bool] = False,
**kwargs,
) -> None:
"""Instantiate the transport.
@@ -85,6 +85,8 @@ def __init__(
API requests. If ``None``, then default info will be used.
Generally, you only need to set this if you're developing
your own client library.
+ always_use_jwt_access (Optional[bool]): Whether self signed JWT should
+ be used for service account credentials.
"""
# Save the hostname. Default to port 443 (HTTPS) if none is specified.
if ":" not in host:
@@ -94,7 +96,7 @@ def __init__(
scopes_kwargs = self._get_scopes_kwargs(self._host, scopes)
# Save the scopes.
- self._scopes = scopes or self.AUTH_SCOPES
+ self._scopes = scopes
# If no credentials are provided, then determine the appropriate
# defaults.
@@ -113,13 +115,20 @@ def __init__(
**scopes_kwargs, quota_project_id=quota_project_id
)
+ # If the credentials is service account credentials, then always try to use self signed JWT.
+ if (
+ always_use_jwt_access
+ and isinstance(credentials, service_account.Credentials)
+ and hasattr(service_account.Credentials, "with_always_use_jwt_access")
+ ):
+ credentials = credentials.with_always_use_jwt_access(True)
+
# Save the credentials.
self._credentials = credentials
- # TODO(busunkim): These two class methods are in the base transport
+ # TODO(busunkim): This method is in the base transport
# to avoid duplicating code across the transport classes. These functions
- # should be deleted once the minimum required versions of google-api-core
- # and google-auth are increased.
+ # should be deleted once the minimum required versions of google-auth is increased.
# TODO: Remove this function once google-auth >= 1.25.0 is required
@classmethod
@@ -140,27 +149,6 @@ def _get_scopes_kwargs(
return scopes_kwargs
- # TODO: Remove this function once google-api-core >= 1.26.0 is required
- @classmethod
- def _get_self_signed_jwt_kwargs(
- cls, host: str, scopes: Optional[Sequence[str]]
- ) -> Dict[str, Union[Optional[Sequence[str]], str]]:
- """Returns kwargs to pass to grpc_helpers.create_channel depending on the google-api-core version"""
-
- self_signed_jwt_kwargs: Dict[str, Union[Optional[Sequence[str]], str]] = {}
-
- if _API_CORE_VERSION and (
- packaging.version.parse(_API_CORE_VERSION)
- >= packaging.version.parse("1.26.0")
- ):
- self_signed_jwt_kwargs["default_scopes"] = cls.AUTH_SCOPES
- self_signed_jwt_kwargs["scopes"] = scopes
- self_signed_jwt_kwargs["default_host"] = cls.DEFAULT_HOST
- else:
- self_signed_jwt_kwargs["scopes"] = scopes or cls.AUTH_SCOPES
-
- return self_signed_jwt_kwargs
-
def _prep_wrapped_messages(self, client_info):
# Precompute the wrapped methods.
self._wrapped_methods = {
diff --git a/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc.py b/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc.py
index 6510b14..04e99f7 100644
--- a/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc.py
+++ b/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc.py
@@ -66,6 +66,7 @@ def __init__(
client_cert_source_for_mtls: Callable[[], Tuple[bytes, bytes]] = None,
quota_project_id: Optional[str] = None,
client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO,
+ always_use_jwt_access: Optional[bool] = False,
) -> None:
"""Instantiate the transport.
@@ -106,6 +107,8 @@ def __init__(
API requests. If ``None``, then default info will be used.
Generally, you only need to set this if you're developing
your own client library.
+ always_use_jwt_access (Optional[bool]): Whether self signed JWT should
+ be used for service account credentials.
Raises:
google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport
@@ -158,6 +161,7 @@ def __init__(
scopes=scopes,
quota_project_id=quota_project_id,
client_info=client_info,
+ always_use_jwt_access=always_use_jwt_access,
)
if not self._grpc_channel:
@@ -213,14 +217,14 @@ def create_channel(
and ``credentials_file`` are passed.
"""
- self_signed_jwt_kwargs = cls._get_self_signed_jwt_kwargs(host, scopes)
-
return grpc_helpers.create_channel(
host,
credentials=credentials,
credentials_file=credentials_file,
quota_project_id=quota_project_id,
- **self_signed_jwt_kwargs,
+ default_scopes=cls.AUTH_SCOPES,
+ scopes=scopes,
+ default_host=cls.DEFAULT_HOST,
**kwargs,
)
diff --git a/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc_asyncio.py b/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc_asyncio.py
index aceaf50..5464fa5 100644
--- a/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc_asyncio.py
+++ b/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc_asyncio.py
@@ -87,14 +87,14 @@ def create_channel(
aio.Channel: A gRPC AsyncIO channel object.
"""
- self_signed_jwt_kwargs = cls._get_self_signed_jwt_kwargs(host, scopes)
-
return grpc_helpers_async.create_channel(
host,
credentials=credentials,
credentials_file=credentials_file,
quota_project_id=quota_project_id,
- **self_signed_jwt_kwargs,
+ default_scopes=cls.AUTH_SCOPES,
+ scopes=scopes,
+ default_host=cls.DEFAULT_HOST,
**kwargs,
)
@@ -112,6 +112,7 @@ def __init__(
client_cert_source_for_mtls: Callable[[], Tuple[bytes, bytes]] = None,
quota_project_id=None,
client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO,
+ always_use_jwt_access: Optional[bool] = False,
) -> None:
"""Instantiate the transport.
@@ -153,6 +154,8 @@ def __init__(
API requests. If ``None``, then default info will be used.
Generally, you only need to set this if you're developing
your own client library.
+ always_use_jwt_access (Optional[bool]): Whether self signed JWT should
+ be used for service account credentials.
Raises:
google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport
@@ -204,6 +207,7 @@ def __init__(
scopes=scopes,
quota_project_id=quota_project_id,
client_info=client_info,
+ always_use_jwt_access=always_use_jwt_access,
)
if not self._grpc_channel:
diff --git a/setup.py b/setup.py
index ff25091..e171b50 100644
--- a/setup.py
+++ b/setup.py
@@ -21,14 +21,14 @@
name = "google-cloud-iam"
description = "IAM Service Account Credentials API client library"
-version = "2.2.0"
+version = "2.3.0"
# Should be one of:
# 'Development Status :: 3 - Alpha'
# 'Development Status :: 4 - Beta'
# 'Development Status :: 5 - Production/Stable'
release_status = "Development Status :: 5 - Production/Stable"
dependencies = [
- "google-api-core[grpc] >= 1.22.2, < 2.0.0dev",
+ "google-api-core[grpc] >= 1.26.0, <2.0.0dev",
"proto-plus >= 0.4.0",
"packaging >= 14.3",
]
diff --git a/testing/constraints-3.6.txt b/testing/constraints-3.6.txt
index 61870e6..df98209 100644
--- a/testing/constraints-3.6.txt
+++ b/testing/constraints-3.6.txt
@@ -5,7 +5,7 @@
#
# e.g., if setup.py has "foo >= 1.14.0, < 2.0.0dev",
# Then this file should have foo==1.14.0
-google-api-core==1.22.2
+google-api-core==1.26.0
proto-plus==0.4.0
packaging==14.3
google-auth==1.24.0 # TODO: remove when google-api-core>=1.25.0 is required transitively through google-api-core
diff --git a/tests/unit/gapic/credentials_v1/test_iam_credentials.py b/tests/unit/gapic/credentials_v1/test_iam_credentials.py
index de36a81..8d8ef1d 100644
--- a/tests/unit/gapic/credentials_v1/test_iam_credentials.py
+++ b/tests/unit/gapic/credentials_v1/test_iam_credentials.py
@@ -38,9 +38,6 @@
IAMCredentialsClient,
)
from google.cloud.iam_credentials_v1.services.iam_credentials import transports
-from google.cloud.iam_credentials_v1.services.iam_credentials.transports.base import (
- _API_CORE_VERSION,
-)
from google.cloud.iam_credentials_v1.services.iam_credentials.transports.base import (
_GOOGLE_AUTH_VERSION,
)
@@ -51,8 +48,9 @@
import google.auth
-# TODO(busunkim): Once google-api-core >= 1.26.0 is required:
-# - Delete all the api-core and auth "less than" test cases
+# TODO(busunkim): Once google-auth >= 1.25.0 is required transitively
+# through google-api-core:
+# - Delete the auth "less than" test cases
# - Delete these pytest markers (Make the "greater than or equal to" tests the default).
requires_google_auth_lt_1_25_0 = pytest.mark.skipif(
packaging.version.parse(_GOOGLE_AUTH_VERSION) >= packaging.version.parse("1.25.0"),
@@ -63,16 +61,6 @@
reason="This test requires google-auth >= 1.25.0",
)
-requires_api_core_lt_1_26_0 = pytest.mark.skipif(
- packaging.version.parse(_API_CORE_VERSION) >= packaging.version.parse("1.26.0"),
- reason="This test requires google-api-core < 1.26.0",
-)
-
-requires_api_core_gte_1_26_0 = pytest.mark.skipif(
- packaging.version.parse(_API_CORE_VERSION) < packaging.version.parse("1.26.0"),
- reason="This test requires google-api-core >= 1.26.0",
-)
-
def client_cert_source_callback():
return b"cert bytes", b"key bytes"
@@ -135,6 +123,36 @@ def test_iam_credentials_client_from_service_account_info(client_class):
assert client.transport._host == "iamcredentials.googleapis.com:443"
+@pytest.mark.parametrize(
+ "client_class", [IAMCredentialsClient, IAMCredentialsAsyncClient,]
+)
+def test_iam_credentials_client_service_account_always_use_jwt(client_class):
+ with mock.patch.object(
+ service_account.Credentials, "with_always_use_jwt_access", create=True
+ ) as use_jwt:
+ creds = service_account.Credentials(None, None, None)
+ client = client_class(credentials=creds)
+ use_jwt.assert_not_called()
+
+
+@pytest.mark.parametrize(
+ "transport_class,transport_name",
+ [
+ (transports.IAMCredentialsGrpcTransport, "grpc"),
+ (transports.IAMCredentialsGrpcAsyncIOTransport, "grpc_asyncio"),
+ ],
+)
+def test_iam_credentials_client_service_account_always_use_jwt_true(
+ transport_class, transport_name
+):
+ with mock.patch.object(
+ service_account.Credentials, "with_always_use_jwt_access", create=True
+ ) as use_jwt:
+ creds = service_account.Credentials(None, None, None)
+ transport = transport_class(credentials=creds, always_use_jwt_access=True)
+ use_jwt.assert_called_once_with(True)
+
+
@pytest.mark.parametrize(
"client_class", [IAMCredentialsClient, IAMCredentialsAsyncClient,]
)
@@ -647,7 +665,9 @@ def test_generate_access_token_flattened():
assert args[0].name == "name_value"
assert args[0].delegates == ["delegates_value"]
assert args[0].scope == ["scope_value"]
- # assert args[0].lifetime == duration_pb2.Duration(seconds=751)
+ assert DurationRule().to_proto(args[0].lifetime) == duration_pb2.Duration(
+ seconds=751
+ )
def test_generate_access_token_flattened_error():
@@ -697,7 +717,9 @@ async def test_generate_access_token_flattened_async():
assert args[0].name == "name_value"
assert args[0].delegates == ["delegates_value"]
assert args[0].scope == ["scope_value"]
- # assert args[0].lifetime == duration_pb2.Duration(seconds=751)
+ assert DurationRule().to_proto(args[0].lifetime) == duration_pb2.Duration(
+ seconds=751
+ )
@pytest.mark.asyncio
@@ -1630,7 +1652,6 @@ def test_iam_credentials_transport_auth_adc_old_google_auth(transport_class):
(transports.IAMCredentialsGrpcAsyncIOTransport, grpc_helpers_async),
],
)
-@requires_api_core_gte_1_26_0
def test_iam_credentials_transport_create_channel(transport_class, grpc_helpers):
# If credentials and host are not provided, the transport class should use
# ADC credentials.
@@ -1659,79 +1680,6 @@ def test_iam_credentials_transport_create_channel(transport_class, grpc_helpers)
)
-@pytest.mark.parametrize(
- "transport_class,grpc_helpers",
- [
- (transports.IAMCredentialsGrpcTransport, grpc_helpers),
- (transports.IAMCredentialsGrpcAsyncIOTransport, grpc_helpers_async),
- ],
-)
-@requires_api_core_lt_1_26_0
-def test_iam_credentials_transport_create_channel_old_api_core(
- transport_class, grpc_helpers
-):
- # If credentials and host are not provided, the transport class should use
- # ADC credentials.
- with mock.patch.object(
- google.auth, "default", autospec=True
- ) as adc, mock.patch.object(
- grpc_helpers, "create_channel", autospec=True
- ) as create_channel:
- creds = ga_credentials.AnonymousCredentials()
- adc.return_value = (creds, None)
- transport_class(quota_project_id="octopus")
-
- create_channel.assert_called_with(
- "iamcredentials.googleapis.com:443",
- credentials=creds,
- credentials_file=None,
- quota_project_id="octopus",
- scopes=("https://www.googleapis.com/auth/cloud-platform",),
- ssl_credentials=None,
- options=[
- ("grpc.max_send_message_length", -1),
- ("grpc.max_receive_message_length", -1),
- ],
- )
-
-
-@pytest.mark.parametrize(
- "transport_class,grpc_helpers",
- [
- (transports.IAMCredentialsGrpcTransport, grpc_helpers),
- (transports.IAMCredentialsGrpcAsyncIOTransport, grpc_helpers_async),
- ],
-)
-@requires_api_core_lt_1_26_0
-def test_iam_credentials_transport_create_channel_user_scopes(
- transport_class, grpc_helpers
-):
- # If credentials and host are not provided, the transport class should use
- # ADC credentials.
- with mock.patch.object(
- google.auth, "default", autospec=True
- ) as adc, mock.patch.object(
- grpc_helpers, "create_channel", autospec=True
- ) as create_channel:
- creds = ga_credentials.AnonymousCredentials()
- adc.return_value = (creds, None)
-
- transport_class(quota_project_id="octopus", scopes=["1", "2"])
-
- create_channel.assert_called_with(
- "iamcredentials.googleapis.com:443",
- credentials=creds,
- credentials_file=None,
- quota_project_id="octopus",
- scopes=["1", "2"],
- ssl_credentials=None,
- options=[
- ("grpc.max_send_message_length", -1),
- ("grpc.max_receive_message_length", -1),
- ],
- )
-
-
@pytest.mark.parametrize(
"transport_class",
[
@@ -1754,7 +1702,7 @@ def test_iam_credentials_grpc_transport_client_cert_source_for_mtls(transport_cl
"squid.clam.whelk:443",
credentials=cred,
credentials_file=None,
- scopes=("https://www.googleapis.com/auth/cloud-platform",),
+ scopes=None,
ssl_credentials=mock_ssl_channel_creds,
quota_project_id=None,
options=[
@@ -1863,7 +1811,7 @@ def test_iam_credentials_transport_channel_mtls_with_client_cert_source(
"mtls.squid.clam.whelk:443",
credentials=cred,
credentials_file=None,
- scopes=("https://www.googleapis.com/auth/cloud-platform",),
+ scopes=None,
ssl_credentials=mock_ssl_cred,
quota_project_id=None,
options=[
@@ -1910,7 +1858,7 @@ def test_iam_credentials_transport_channel_mtls_with_adc(transport_class):
"mtls.squid.clam.whelk:443",
credentials=mock_cred,
credentials_file=None,
- scopes=("https://www.googleapis.com/auth/cloud-platform",),
+ scopes=None,
ssl_credentials=mock_ssl_cred,
quota_project_id=None,
options=[