YdZddlZddlmZddlZddlmZddlmZddlm Z dZ e dzZ Gdd ejZ y) zTools for using the Google `Cloud Identity and Access Management (IAM) API`_'s auth-related functionality. .. _Cloud Identity and Access Management (IAM) API: https://cloud.google.com/iam/docs/ N)_helpers)crypt) exceptionsz(https://iamcredentials.googleapis.com/v1z0/projects/-/serviceAccounts/{}:signBlob?alt=jsoncpeZdZdZdZdZedZeje jdZ y)SigneraSigns messages using the IAM `signBlob API`_. This is useful when you need to sign bytes but do not have access to the credential's private key file. .. _signBlob API: https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts /signBlob c.||_||_||_y)a Args: request (google.auth.transport.Request): The object used to make HTTP requests. credentials (google.auth.credentials.Credentials): The credentials that will be used to authenticate the request to the IAM API. The credentials must have of one the following scopes: - https://www.googleapis.com/auth/iam - https://www.googleapis.com/auth/cloud-platform service_account_email (str): The service account email identifying which service account to use to sign bytes. Often, this can be the same as the service account email in the given credentials. N)_request _credentials_service_account_email)selfrequest credentialsservice_account_emails *platform/bq/third_party/google/auth/iam.py__init__zSigner.__init__.s   '&;#crtj|}d}tj|j}ddi}t j dtj|jdijd}|jj|j||||j||||}|jtj k7r.t#j$dj|j&t j(|j&jdS)z(Makes a request to the API signBlob API.POSTz Content-Typezapplication/jsonpayloadzutf-8)urlmethodbodyheadersz&Error calling the IAM signBlob API: {})rto_bytes_SIGN_BLOB_URIformatr jsondumpsbase64 b64encodedecodeencoder before_requestr status http_clientOKrTransportErrordataloads)r messagerrrrresponses r_make_signing_requestzSigner._make_signing_requestBs##G,##D$?$?@!#56zz ((188A B &/  ((WM==SdG=T ??knn ,++8?? N zz(--..w788rcy)zOptional[str]: The key ID used to identify this private key. .. warning:: This is always ``None``. The key ID used by IAM can not be reliably determined ahead of time. N)r s rkey_idz Signer.key_idWsrcT|j|}tj|dS)N signedBlob)r,r b64decode)r r*r+s rsignz Signer.signas(--g6 677rN) __name__ __module__ __qualname____doc__rr,propertyr/rcopy_docstringrrr3r.rrrr#sJ<(9*XU\\*8+8rr) r7r http.clientclientr%r google.authrrr_IAM_API_ROOT_URIrrr.rrr>sA ! ">"%WWA8U\\A8r