dZddlmZddlmZddlmZddlmZddlm Z ddlmZ ddl m Z ddl m Z dd lmZdd lmZdd lmZdd lmZd Ze j0Gdde j2Zy)z&A command that prints identity token. )absolute_import)division)unicode_literals) exceptions)base) auth_util)flags) config_helper)config)store)clientcx|jd}tj|j|d}t j |}|j r?t j|stjd|j t_ |jds|jdr*t j|stjd|jdk(r!|jrtjd |jd r*t j |stjd tj |||j"|j|jd t%j&|}|j(stj*d |S)%Run the print_identity_token command.impersonate_service_accountT)allow_account_impersonationuse_google_authzGInvalid account type for `--audiences`. Requires valid service account. token_formatinclude_licensezgInvalid account type for `--token-format` or `--include-license`. Requires a valid GCE service account.standardzE`--include-license` can only be specified when `--token-format=full`. include_emailzTInvalid account type for `--include-email`. Requires an impersonate service account.)is_impersonated_credentialrgce_token_formatgce_include_license refresh_user_account_credentialsz?No identity token can be obtained from the current credentials.) IsSpecifiedc_storeLoadaccountrIsImpersonationCredential audiencesValidIdTokenCredentialauth_exceptionsWrongAccountTypeErrorr CLOUDSDK_CLIENT_IDIsGceAccountCredentialsrrGCEIdentityTokenError_RefreshGoogleAuthIdTokenrr Credentialid_tokenInvalidIdentityTokenError)argsdo_impersonationcredis_impersonated_account credentials (lib/surface/auth/print_identity_token.py_Runr1"s%%&CD  ll"2 $&??E ^^  + +D 1  1 1 , --!%F n%)9)9:K)L  , ,T 2  1 1 2 33 *$   1 1 # $$ o&  . .t 4  1 1 5 66 ## !8&&((..'+ ''-*     3 3I KK ceZdZdZdddZedZeje je jdZ y) IdentityTokenz2Print an identity token for the specified account.z {description} a To print identity tokens: $ {command} To print identity token for account 'foo@example.com' whose audience is 'https://service-hash-uc.a.run.app', run: $ {command} foo@example.com --audiences="https://service-hash-uc.a.run.app" To print identity token for an impersonated service account 'my-account@example.iam.gserviceaccount.com' whose audience is 'https://service-hash-uc.a.run.app', run: $ {command} --impersonate-service-account="my-account@example.iam.gserviceaccount.com" --audiences="https://service-hash-uc.a.run.app" To print identity token of a Compute Engine instance, which includes project and instance details as well as license codes for images associated with the instance, run: $ {command} --token-format=full --include-license To print identity token for an impersonated service account 'my-account@example.iam.gserviceaccount.com', which includes the email address of the service account, run: $ {command} --impersonate-service-account="my-account@example.iam.gserviceaccount.com" --include-email ) DESCRIPTIONEXAMPLESctj|tj|tj|tj||j j dy)Nzvalue(id_token))r AddAccountArgAddAudienceArgAddGCESpecificArgsAddIncludeEmailArg display_info AddFormat)parsers r0ArgszIdentityToken.ArgszsO    V$ V$ !!"34r2ct|}|S)r)r1)selfr+r/s r0RunzIdentityToken.RunsdJ r2N)__name__ __module__ __qualname____doc__ detailed_help staticmethodr?c_excRaiseErrorInsteadOfr"AuthenticationErrorr ErrorrBr2r0r4r4TsY:  !-F555_@@&,,OPr2r4N)rF __future__rrrgooglecloudsdk.api_lib.authrr"googlecloudsdk.callioperrIgooglecloudsdk.command_lib.authrr !googlecloudsdk.command_lib.configr googlecloudsdk.corer googlecloudsdk.core.credentialsr r oauth2clientr r1UniverseCompatibleCommandr4rMr2r0rXs[ ''E(751;&</d1DLL11r2