O,SrSSKrSSKJr SSKJr SSKJr SSKJr SSKJr SSKJ r SSKJ r SSKJ r S r "S S \ R5r"S S \5r"SS\5rSrSSjrSr"SS\5rg)z%Utilities for the iamcredentials API.N exceptions) http_wrapper) apis_internal) properties) resources) transportz&https://iamcredentials.googleapis.com/c\rSrSrSrSrg)Error"z*Exception that are defined by this module.N__name__ __module__ __qualname____firstlineno____doc____static_attributes__r 1lib/googlecloudsdk/api_lib/iamcredentials/util.pyr r "s2rr c\rSrSrSrSrg)InvalidImpersonationAccount&z1Exception when the service account id is invalid.r Nrr rrrr&s9rrc\rSrSrSrSrg)&ImpersonatedCredGoogleAuthRefreshError*zAException for google auth impersonated credentials refresh error.r Nrr rrrr*sIrrc ^SSKJn [RR USSUS.S9nUR S[ RSS9n[R"S S US 9nURRURRUR5URRUS 9S 95nU$![ R"a2n[$R&"USR)UR*US9S9eSnAf[ R,an[$R&"U5eSnAff=f)z8Generates an access token for the given service account.r transportsiamcredentials.serviceAccounts- projectsIdserviceAccountsId collectionparamsFenable_resource_quotaresponse_encodingallow_account_impersonationiamcredentialsv1 http_client)scope)namegenerateAccessTokenRequestzError {code} (Forbidden) - failed to impersonate [{service_acc}]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.)code service_acc error_formatN)googlecloudsdk.core.credentialsrrREGISTRYParseGetApitoolsTransportr ENCODINGr_GetClientInstanceprojects_serviceAccountsGenerateAccessTokenMESSAGES_MODULE?IamcredentialsProjectsServiceAccountsGenerateAccessTokenRequest RelativeNameGenerateAccessTokenRequestapitools_exceptionsHttpForbiddenErrorr HttpExceptionformat status_code HttpError)service_account_idscopesrservice_account_refr/ iam_clientresponsees rr>r>.sC9!**00%E6H I1K//!!**"'0)+ //+7*&22FF"" H H$113'1'A'A ' 'f ' 5 I H O  / /N  " " $Vmm9K$M  NN  & &&  " "1 %%&s%AB99D, -C::D,D''D,c SSKJn [RR USSUS.S9nUR S[ RSS9n[R"S S US 9nURRURRUR5URRXS 9S 95nUR $)z4Generates an id token for the given service account.rrr r!r"r%Fr(r,r-r.)audience includeEmail)r1generateIdTokenRequest)r7rrr8r9r:r r;rr<r=GenerateIdTokenr?;IamcredentialsProjectsServiceAccountsGenerateIdTokenRequestrAGenerateIdTokenRequesttoken)rIrP include_emailrrKr/rLrMs rrSrSVs9!**00%E6H I1K//!!**"'0)+ //+7* 0 0 @ @  BB"//1!+!;!; ! !8 ! PC( rc[RRRR 5(a2[RRRR 5$[RR RnUR 5UR:wa$[RSUR 55$[$)aqReturns the effective IAM endpoint. (1) If the [api_endpoint_overrides/iamcredentials] property is explicitly set, return the property value. (2) Otherwise if [core/universe_domain] value is not default, return "https://iamcredentials.{universe_domain_value}/". (3) Otherise return "https://iamcredentials.googleapis.com/" Returns: str: The effective IAM endpoint. zgoogleapis.com) rVALUESapi_endpoint_overridesr,IsExplicitlySetGetcoreuniverse_domaindefaultIAM_ENDPOINT_GDUreplace)universe_domain_propertys rGetEffectiveIamEndpointrcrs--<<LLNN    3 3 B B F F HH'..33CC!!#'?'G'GG  # #2668  rcJ\rSrSrSrSrSrSr\S5r \S5r Sr g ) ImpersonationAccessTokenProviderzvA token provider for service account elevation. This supports the interface required by the core/credentials module. c[XU5$)N)rS)selfrIrPrWs rGetElevationIdToken4ImpersonationAccessTokenProvider.GetElevationIdTokens - GGrcSSKJn SSKJn SSKJn UR 5nUR U5 URUUUUS9n UR5 U R U5 U $!URan SRUS9n Sn [R"U RS 5n U S -U S S -U S S '[R"S U S S0[R "U 5SS9n["R$R'U5n O![(a Of=fU (a[R*"U SS9e[-U 5eSn A ff=f)zCCreates a fresh impersonation credential using google-auth library.rrimpersonated_credentialsrequests)source_credentialstarget_principal target_scopes delegateszFailed to impersonate [{service_acc}]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.)r4N errormessagestatusr3)infocontent request_urlz{message} {details? {?}}r5) google.authrrmgooglecloudsdk.coreroGoogleAuthRequestrefresh CredentialsPerformIamEndpointsOverride RefreshErrorrFjsonloadsargsrResponsedumpsrCrH FromResponse ExceptionrEr)rhrprqrsrJgoogle_auth_exceptions$google_auth_impersonated_credentials core_requestsrequest_clientcredrNoriginal_message http_errorrz http_responses r!GetElevationAccessTokenGoogleAuthBImpersonationAccessTokenProvider.GetElevationAccessTokenGoogleAuthsA\=#446N~. / ; ;-) < D  $$&-E ll>"\ K[ " . .+E BBH&*CIC j **QVVAY' s "WW%5i%@ @ # %--GG,V45JJw' )22?? N     && %@  33C DDW+Es=A**E:E  BDE  D"E !D""*E  EcSSKJn SSKJn UR UUUS9nUR 5nUR 5 URU5 U$)z=Creates an ID token credentials for impersonated credentials.rrlrn)target_audiencerW)r|rmr}roIDTokenCredentialsr~rr)rh%google_auth_impersonation_credentialsrPrWrrrrs rGetElevationIdTokenGoogleAuth>ImpersonationAccessTokenProvider.GetElevationIdTokenGoogleAuthsW]= / B B- # C D #446N$$&LL Krc8SSKJn [XR5$)Nrrl)r|rm isinstancer)clsrrs rIsImpersonationCredential:ImpersonationAccessTokenProvider.IsImpersonationCredentials] dLL MMrcSSKJn [5nURR [ U5UlUR R [ U5UlURR [ U5Ulg)a Perform IAM endpoint override if needed. We will override IAM generateAccessToken, signBlob, and generateIdToken endpoint under the following conditions. (1) If the [api_endpoint_overrides/iamcredentials] property is explicitly set, we replace "https://iamcredentials.googleapis.com/" with the given property value in these endpoints. (2) If the property above is not set, and the [core/universe_domain] value is not default, we replace "googleapis.com" with the [core/universe_domain] property value in these endpoints. r)iamN)r|rrc _IAM_ENDPOINTrar`_IAM_SIGN_ENDPOINT_IAM_IDTOKEN_ENDPOINT)rgoogle_auth_iameffective_iam_endpoints rrrSrcobjectrer rrrsy , >)52=*))<3O ! !3:%:JUJ%&P8.MvMr