WN~dZddlmZddlmZddlmZddlZddlmZddlm Z ddlm Z dd l mZdd l mZdd l mZdd lm Zdd lmZddlmZddlmZddlmZddlmZddlmZddlmZ ddlm!Z"dd lmZ#ddlm$Z%ddlm&Z'dZ(dZ)dZ*ejVGddejXZ-dZ.dZ/dZ0dZ1y) z(The auth command gets tokens via oauth2.)absolute_import)division)unicode_literalsN)external_account)service_account)util)actions)base) exceptions) auth_util)flags)workforce_login_config)config)log) properties) console_io)creds)devshell)gce)storec>tjr+tjd}t j |St jjr@tj|s+tjd}t j |Sy)zPrompts users if they try to login in managed environments. Args: cred_config: Json object loaded from the file specified in --cred-file. Returns: True if users want to continue the login command. z You are already authenticated with gcloud when running inside the Cloud Shell and so do not need to run this command. Do you wish to proceed anyway? )messagea You are running on a Google Compute Engine virtual machine. It is recommended that you use service accounts for authentication. You can run: $ gcloud config set account `ACCOUNT` to switch accounts if necessary. Your credentials may be visible to others with access to this virtual machine. Are you sure you want to authenticate with your personal account? T) c_devshellIsDevshellEnvironmenttextwrapdedentrPromptContinuec_gceMetadata connectedauth_external_accountIsExternalAccountConfig) cred_configrs lib/surface/auth/login.pyShouldContinueLoginr%,s}%%'ooG  $ $W 55 "" ! 9 9+ Foo  G  $ $W 55 ctj}|tjfz }|jr|tj fz }|SN)rCLOUDSDK_SCOPES REAUTH_SCOPEenable_gdrive_accessr GOOGLE_DRIVE_SCOPE)argsscopess r$ GetScopesr/QsC  ! !& V ""&  y++--F -r&c|jr |jry tj|j|}|syt jdj|jy#tj $rYywxYw)z3If the login should use the locally cached account.Faccountr.zsRe-using locally stored credentials for [{}]. To fetch new credentials, re-run the command with the `--force` flag.T) r2forcec_storeLoadcreds_exceptionsErrorrwarningformat)r-r.rs r$ShouldUseCachedCredentialsr:\sq ,,4::  LLf =E  ++ &t|| 46     s!A..BBc*eZdZdZdZedZdZy)Logina Authorize gcloud to access the Cloud Platform with Google user credentials. Obtains access credentials for your user account via a web-based authorization flow. When this command completes successfully, it sets the active account in the current configuration to the account specified. If no configuration exists, it creates a configuration named default. If valid credentials for an account are already available from a prior authorization, the account is set to active without rerunning the flow. Use `gcloud auth list` to view credentialed accounts. If you'd rather authorize without a web browser but still interact with the command line, use the `--no-browser` flag. To authorize without a web browser and non-interactively, create a service account with the appropriate scopes using the [Google Cloud Console](https://console.cloud.google.com) and use `gcloud auth activate-service-account` with the corresponding JSON key file. In addition to Google user credentials, authorization using workload identity federation, workforce identity federation, or service account keys is also supported. For authorization with external accounts or service accounts, the `--cred-file` flag must be specified with the path to the workload identity credential configuration file or service account key file (JSON). Login with workload and workforce identity federation is also supported in both gsutil and bq. This command is the recommended way of using external accounts. For more information on workload identity federation, see: [](https://cloud.google.com/iam/docs/workload-identity-federation). For more information on workforce identity federation, see: [](https://cloud.google.com/iam/docs/workforce-identity-federation). For more information on authorization and credential types, see: [](https://cloud.google.com/sdk/docs/authorizing). ## EXAMPLES To obtain access credentials for your user account, run: $ {command} To obtain access credentials using workload or workforce identity federation, run: $ {command} --cred-file=/path/to/configuration/file To obtain access credentials using a browser-based sign-in flow with workforce identity federation, run: $ {command} --login-config=/path/to/configuration/file Fch|jdddd|jddddd |jd dd |jddd |jddd |jdddd|jddddd|jddd|jdd|jdd tjtjj j !tj||jjd"y#)$zSet args for gcloud auth.z --activate store_trueTzSet the new account to active.)actiondefaulthelpz--do-not-activate store_falseactivatezTHIS ARGUMENT NEEDS HELP TEXT.)r?desthiddenrAz--briefzMinimal user output.)r?rAz--forcezRRe-run the web authorization flow even if the given account has valid credentials.z--enable-gdrive-accesszEnable Google Drive access.z --update-adcFaWrite the obtained credentials to the well-known location for Application Default Credentials (ADC). Run $ gcloud auth application-default --help to learn more about ADC. Any credentials previously generated by `gcloud auth application-default login` will be overwritten.--add-quota-project-to-adczRead the project from gcloud's context and write to application default credentials as the quota project. Use this flag only when --update-adc is specified.)r?r@rErAr2?a=User account used for authorization. When the account specified has valid credentials in the local credential store these credentials will be re-used, otherwise a new credential will be fetched. If you need to fetch a new credential for an account with valid credentials stored, run the command with the --force flag.)nargsrA --cred-filezPath to the external account configuration file (workload identity pool, generated by the Cloud Console or `gcloud iam workload-identity-pools create-cred-config`) or service account credential key file (JSON).)rAz--login-configzPath to the workforce identity federation login configuration file which can be generated using the `gcloud iam workforce-pools create-login-config` command.)rAr?noneN) add_argumentr StorePropertyrVALUESauthlogin_config_file auth_flagsAddRemoteLoginFlags display_info AddFormat)parsers r$Argsz Login.Argss  -    -  ,-C  !    *   K   $ .        +  =$$Z%6%6%;%;%M%MN""6* !!&)r&c \|jrA|jrtjdt j |j}nd}t |}t|sy|jrNt|||j|j|j|j|j|jSt||rnt!j"|j|}t%|j||j|j|j|j|jSt'|j( |j* |j,}|j,rd|j,vrt j.t0j2fddi|}t4j6j8j:}|r^t=|drR|j:|j?k7r5tAjB|}t jD|j:|ytGjH}|r|jrtjd |jrtjd tGjJ|fi|}tAjB|}t!jL||t0j2t%|||j|j|j|j|jSt j.|fdd i|}|sytOjP|j|}t!jL|||t%|||j|j|j|j|jS) zRun the authentication command.z4--login-config cannot be specified with --cred-file.Nr1)no_launch_browser no_browserremote_bootstrap provider_nameauth_proxy_redirect_uriz&https://sdk.cloud.google/authcode.htmluniverse_domainzl--update-adc cannot be used in a third party login flow. Please use `gcloud auth application-default login`.zF--add-quota-project-to-adc cannot be used in a third party login flow.z*https://sdk.cloud.google.com/authcode.html)) cred_file login_configcalliope_exceptionsConflictingArgumentsExceptionr GetCredentialsConfigFromFiler/r%LoginWithCredFileConfigprojectrCbrief update_adcadd_quota_project_to_adcr2r:r4r5LoginAsdictlaunch_browserbrowserrY#DoInstalledAppBrowserFlowGoogleAuthr CLOUDSDK_EXTERNAL_ACCOUNT_SCOPESrrMcorer\hasattrGetr!GetExternalAccountIdHandleUniverseDomainConflictworkforce_login_config_utilGetWorkforceLoginConfigDoWorkforceHeadfulLoginStorecommand_auth_utilExtractAndValidateAccount) selfr-r]r.r flow_paramsuniverse_domain_propertyr2rOs r$Runz Login.Runs" ~~  !?? BD D88Hii t_F y )  ~~ $Y %)]]DJJ%)%B%B%)\\33"$/ll4<<?e T\\5$,, ZZ$2O2OQQ"111||#..0K D4I4I!I;;  1 1"J e ",!2!2!7!7!G!G e./##'?'C'C'EE(<z*LoginWithCredFileConfig..xs?Fqa6+>+>&>Fs""zA[--add-quota-project-to-adc] cannot be specified with --cred-file interactive_tokeninfo_usernamerIzROnly external account or service account JSON credential file types are supported.ACCOUNTzThe given account name does not match the account name in the credential file. This argument can be omitted when using credential files.T)r2r.prevent_refreshNzw You are already authenticated with '%s'. Do you wish to proceed and overwrite existing credentials? )rr@)r.F)tupler_r`r!r" CredentialsFromAdcDictGoogleAuthrprnrsetattrauth_service_accountIsServiceAccountConfigservice_account_emailInvalidArgumentExceptionr4r5r6r7r\rrrrrurg) r#r.rcrCrdrerf args_accountrr2 exist_credsranswers r$rbrb[s: ?F? ?&  ; ;K MM22;? ! B B; OE#88?Gum$):): e*G422;? A A+ NE))G  6 6   lg-  6 6    ,,>K[00E4I4IIoo  G & &w/@$ OF   --wv. %(E:u MM   Ks:FF F ct|dr tj|j|t |||r t |||s|St jt jjj||r8t jt jjj||s tj|rdj|}ntj|rdj|}n_tj |rdj|}n8tj"|rdj|}ndj|}t$j&j)dj|t jjjj+|S) zLogs in with valid credentials.r\z;Authenticated with external account credentials for: [{0}].z@Authenticated with external account user credentials for: [{0}].z:Authenticated with service account credentials for: [{0}].zKAuthenticated with external account authorized user credentials for: [{0}].zYou are now logged in as [{0}].z {confirmation_msg} Your current project is [{project}]. You can change this setting by running: $ gcloud config set project PROJECT_ID )confirmation_msgrc)rnr rqr\_ValidateADCFlags _UpdateADCrPersistPropertyrMrmr2rcc_credsIsExternalAccountCredentialsr9 IsExternalAccountUserCredentialsIsServiceAccountCredentials*IsExternalAccountAuthorizedUserCredentialsrstatuswritero)r2rrcrCrdrerfrs r$rgrgs U%& **5+@+@'JJ 89u./  L Z..33;;WE z0055==wG ++E2 G N N   1 1% 8 6'?  , ,U 3 F M M   ; ;E B w;AA'JJJ BBH&-%%**22668CIC:; ,r&c(tj}tj||tj}|rR||k7rLd}tj}|r|dj |z}t j j|yyy)z0Updates the ADC json with the credentials creds.z4 Application Default Credentials (ADC) were updated.z '{}' is added to ADC as the quota project. To just update the quota project in ADC, use $gcloud auth application-default set-quota-project.N)rv GetADCAsJsonWriteGcloudCredentialsToADCGetQuotaProjectFromADCr9rrPrint)rrf old_adc_json new_adc_jsonadc_msg quota_projects r$rrs"//1,//7OP"//1,ll2EG%<<>M 3396-3HJgJJW3\r&c:|s|rtjddyy)NrFzO--add-quota-project-to-adc cannot be specified without specifying --update-adc.)r_r)rerfs r$rrs* 0  6 6$  1r&)2r __future__rrrrgooglecloudsdk.api_lib.authrr!rrrr googlecloudsdk.callioper r r r_googlecloudsdk.command_lib.authrvr rPrrrgooglecloudsdk.corerrrgooglecloudsdk.core.consolergooglecloudsdk.core.credentialsrrrrr6rrrr4r%r/r:UniverseCompatibleCommandr<rbrgrrrr&r$rs /&'QO9+(EJ?a&#*2<BJ8<"J"jCDLLjCjCZMN`(V  r&