@dZddlmZddlmZddlmZddlZddlmZddlm Z ddl m Z dd l m Z dd lmZe j e j"j$e j"j&e j"j(Gd d e j*Zy) z.Command for signing jwts for service accounts.)absolute_import)division)unicode_literalsN)util)base)iam_util)log)filescpeZdZdZej dej ddZedZdZ y)SignJwtzSign a JWT with a managed service account key. This command signs a JWT using a system-managed service account key. If the service account does not exist, this command returns a `PERMISSION_DENIED` error. z To create a sign JWT with a system-managed service account key, run: $ {command} --iam-account=my-iam-account@my-project.iam.gserviceaccount.com input.json output.jwt z For more information on how this command ties into the wider cloud infrastructure, please see [](https://cloud.google.com/appengine/docs/java/appidentity/). )EXAMPLESzSEE ALSOc||jddd|jddd|jd d d y) Nz --iam-accountTzThe service account to sign as.)requiredhelpinputz INPUT-FILEzBA path to the file containing the JSON JWT Claim set to be signed.)metavarroutputz OUTPUT-FILEz3A path the resulting signed JWT will be written to.) add_argument)parsers ,lib/surface/iam/service_accounts/sign_jwt.pyArgsz SignJwt.Args9s^ $-NP '(  c *tj\}}|jj|j t j |j|jtj|j}tj|j|jddtj j#dj%|j|j|j|j&y)N)payload)namesignJwtRequestFT)contentbinaryprivatez3signed jwt [{0}] as [{1}] for [{2}] using key [{3}])r"GetIamCredentialsClientAndMessagesprojects_serviceAccountsr 3IamcredentialsProjectsServiceAccountsSignJwtRequestrEmailToAccountResourceName iam_accountSignJwtRequestr ReadFileContentsrr WriteToFileOrStdoutr signedJwtstatusPrintformatkeyId)selfargsclientmessagesresponses rRunz SignJwt.RunJs>>@FH..66DD44T5E5EF#22..tzz;3= E >?H  X//tMJJ=DD JJ T%5%5x~~ GHrN) __name__ __module__ __qualname____doc__textwrapdedent detailed_help staticmethodrr2rrr r sR (//  (//   - Hrr )r6 __future__rrrr7googlecloudsdk.api_lib.iamrgooglecloudsdk.calliopergooglecloudsdk.command_lib.iamrgooglecloudsdk.corer googlecloudsdk.core.utilr ReleaseTracks ReleaseTrackALPHABETAGACommandr r;rrrHs 5&'+(3#*D%%++T->->-C-C%%((*5Hdll5H*5Hr