ansible-collections/google.cloud
1
0
Fork 0
mirror of https://github.com/ansible-collections/google.cloud.git synced 2025-04-06 10:50:28 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Added more auth capabilities

Browse source
This commit is contained in:
Pavlo Bashynskiy 2022-01-15 22:20:07 +02:00
parent 2679d724c3
commit d46df5eb00
3 changed files with 49 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
plugins/lookup/gcp_secret_access.py
View file

@ -12,7 +12,7 @@ author:
short_description: Retrieve secrets from GCP Secret Manager short_description: Retrieve secrets from GCP Secret Manager
requirements: requirements:
- python >= 2.7 - python >= 2.7
- google-auth >= 1.3.0 - google-auth >= 1.26.0
- google-cloud-secret-manager >= 1.0.0 - google-cloud-secret-manager >= 1.0.0
description: description:
- Retrieve secret contents from GCP Secret Manager. - Retrieve secret contents from GCP Secret Manager.
@ -33,6 +33,12 @@ options:
type: str type: str
env: env:
- name: GCP_PROJECT - name: GCP_PROJECT
access_token:
description:
- The Google Cloud access token. If specified, C(service_account_file) will be ignored.
type: path
env:
- name: GCP_ACCESS_TOKEN
service_account_file: service_account_file:
description: description:
- The path of a Service Account JSON file if serviceaccount is selected as type. - The path of a Service Account JSON file if serviceaccount is selected as type.

8
plugins/lookup/gcp_secret_resource_id.py
View file

@ -12,7 +12,7 @@ author:
short_description: Retrieve resource id of secret version from GCP Secret Manager short_description: Retrieve resource id of secret version from GCP Secret Manager
requirements: requirements:
- python >= 2.7 - python >= 2.7
- google-auth >= 1.3.0 - google-auth >= 1.26.0
- google-cloud-secret-manager >= 1.0.0 - google-cloud-secret-manager >= 1.0.0
description: description:
- Retrieve resource id of secret version from GCP Secret Manager. - Retrieve resource id of secret version from GCP Secret Manager.
@ -32,6 +32,12 @@ options:
type: str type: str
env: env:
- name: GCP_PROJECT - name: GCP_PROJECT
access_token:
description:
- The Google Cloud access token. If specified, C(service_account_file) will be ignored.
type: path
env:
- name: GCP_ACCESS_TOKEN
service_account_file: service_account_file:
description: description:
- The path of a Service Account JSON file if serviceaccount is selected as type. - The path of a Service Account JSON file if serviceaccount is selected as type.

36
plugins/plugin_utils/gcp_utils.py
View file

@ -2,10 +2,14 @@ from __future__ import (absolute_import, division, print_function)
__metaclass__ = type __metaclass__ = type
import io
import json
import os import os
import re import re
try: try:
import google.oauth2.credentials
from google.auth import identity_pool
from google.oauth2 import service_account from google.oauth2 import service_account
HAS_GOOGLE_LIBRARIES = True HAS_GOOGLE_LIBRARIES = True
except ImportError: except ImportError:
@ -24,6 +28,7 @@ class GcpSecretLookup():
self.secret_id = None self.secret_id = None
self.version_id = None self.version_id = None
self.project_id = None self.project_id = None
self.access_token = None
self.service_account_file = None self.service_account_file = None
self.scope = ["https://www.googleapis.com/auth/cloud-platform"] self.scope = ["https://www.googleapis.com/auth/cloud-platform"]
@ -31,9 +36,37 @@ class GcpSecretLookup():
self.plugin_name = name self.plugin_name = name
def client(self, secretmanager): def client(self, secretmanager):
if self.access_token is not None:
credentials=google.oauth2.credentials.Credentials(self.access_token)
return secretmanager.SecretManagerServiceClient(credentials=credentials)
if self.service_account_file is not None: if self.service_account_file is not None:
path = os.path.realpath(os.path.expanduser(self.service_account_file)) path = os.path.realpath(os.path.expanduser(self.service_account_file))
credentials = service_account.Credentials.from_service_account_file(path).with_scopes(self.scope) if not os.path.exists(path):
raise AnsibleError("File {} was not found.".format(path))
with io.open(path, "r") as file_obj:
try:
info = json.load(file_obj)
except ValueError as e:
raise AnsibleError("File {} is not a valid json file.".format(path))
credential_type = info.get("type")
if credential_type == "authorized_user":
credentials = google.oauth2.credentials.Credentials.from_authorized_user_info(info, scopes=self.scope)
elif credential_type == "service_account":
credentials = service_account.Credentials.from_service_account_info(info, scopes=self.scope)
elif credential_type == "external_account":
if info.get("subject_token_type") == "urn:ietf:params:aws:token-type:aws4_request":
from google.auth import aws
credentials = aws.Credentials.from_info(info, scopes=self.scope)
else:
credentials = identity_pool.Credentials.from_info(info, scopes=self.scope)
else:
raise AnsibleError(
"Type is {}, expected one of authorized_user, service_account, external_account.".format(credential_type)
)
return secretmanager.SecretManagerServiceClient(credentials=credentials) return secretmanager.SecretManagerServiceClient(credentials=credentials)
return secretmanager.SecretManagerServiceClient() return secretmanager.SecretManagerServiceClient()
@ -42,6 +75,7 @@ class GcpSecretLookup():
self.secret_id = kwargs.get('secret') self.secret_id = kwargs.get('secret')
self.version_id = kwargs.get('version', 'latest') self.version_id = kwargs.get('version', 'latest')
self.project_id = kwargs.get('project', os.getenv('GCP_PROJECT')) self.project_id = kwargs.get('project', os.getenv('GCP_PROJECT'))
self.access_token = kwargs.get('access_token', os.getenv('GCP_ACCESS_TOKEN'))
self.service_account_file = kwargs.get('service_account_file', os.getenv('GOOGLE_APPLICATION_CREDENTIALS')) self.service_account_file = kwargs.get('service_account_file', os.getenv('GOOGLE_APPLICATION_CREDENTIALS'))
if len(terms) > 1: if len(terms) > 1: