XiwSrSSKrSSKrSSKJr SSKrSSKrSSKrSSK r SSK r SSK J r SSK Jr SSK Jr SSK Jr SSK Jr SrS rS rS r"S S \5rSrSrSrS04Sjr"SS\R85rg)aAWS Credentials and AWS Signature V4 Request Signer. This module provides credentials to access Google Cloud resources from Amazon Web Services (AWS) workloads. These credentials are recommended over the use of service account credentials in AWS as they do not involve the management of long-live service account private keys. AWS Credentials are initialized using external_account arguments which are typically loaded from the external credentials JSON file. Unlike other Credentials that can be initialized with a list of explicit arguments, secrets or credentials, external account clients use the environment and hints/guidelines provided by the external_account JSON file to retrieve credentials and exchange them for Google access tokens. This module also provides a basic implementation of the `AWS Signature Version 4`_ request signing algorithm. AWS Credentials use serialized signed requests to the `AWS STS GetCallerIdentity`_ API that can be exchanged for Google access tokens via the GCP STS endpoint. .. _AWS Signature Version 4: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html .. _AWS STS GetCallerIdentity: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html N)urljoin)_helpers)environment_vars) exceptions)external_accountzAWS4-HMAC-SHA256 aws4_requestzx-amz-security-tokenz x-amz-datec,\rSrSrSrSrS04SjrSrg) RequestSignerBzImplements an AWS request signer based on the AWS Signature Version 4 signing process. https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html cXlg)zInstantiates an AWS request signer used to compute authenticated signed requests to AWS APIs based on the AWS Signature Version 4 signing process. Args: region_name (str): The AWS region to use. N _region_name)self region_names :/app/.venv/lib/python3.13/site-packages/google/auth/aws.py__init__RequestSigner.__init__Hs (c  URS5nURS5nURS5nU=(d 0n[RRU5n [RR[ U[ R "U R555n U R(aU RS:wa[R"S5e[U RU R=(d S[U R5UURUUUUUS9 n U RS5U RS .n S U ;aU RS 5U [ 'UH n X]X'M UbX["'X#U S .nU(aXNS 'U$) aGenerates the signed request for the provided HTTP request for calling an AWS API. This follows the steps described at: https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html Args: aws_security_credentials (Mapping[str, str]): A dictionary containing the AWS security credentials. url (str): The AWS service URL containing the canonical URI and query string. method (str): The HTTP method used to call this API. request_payload (Optional[str]): The optional request payload if available. additional_headers (Optional[Mapping[str, str]]): The optional additional headers needed for the requested AWS API. Returns: Mapping[str, str]: The AWS signed request dictionary object. access_key_idsecret_access_keysecurity_tokenhttpszInvalid AWS service URL/) host canonical_uricanonical_querystringmethodregion access_key secret_keyrrequest_payloadadditional_headersauthorization_header) Authorizationramz_dateurlrheadersdata)geturllibparseurlparser posixpathnormpathpathhostnameschemerInvalidResource#_generate_authentication_header_map_get_canonical_querystringqueryr_AWS_DATE_HEADER_AWS_SECURITY_TOKEN_HEADER)raws_security_credentialsr)rr#r$r!r"rurinormalized_uri header_mapr*keysigned_requests rget_request_options!RequestSigner.get_request_optionsRsk6.11/B -112EF 1556FG/52ll##C( .. C++CHH5 6 ||szzW4,,-FG G8(--4"FV)Hh-Ii0I rrc URS5Sn [R"5n U RS5n U RS5n 0nU HnXXR 5'M UbX~[ 'XS'SU;aX[ 'Sn[UR55nUR5 UHnSRUXU5nM S RU5n[R"U=(d SRS 55R5nS RUUUUUU5nS RXU [ 5nS R["U U[R"URS 55R55n[%XmXJ5n[&R("UURS 5[R5R5nSR["UUUU5nSU0nSU;aU US'U$)aGenerates the authentication header map needed for generating the AWS Signature Version 4 signed request. Args: host (str): The AWS service URL hostname. canonical_uri (str): The AWS service URL path name. canonical_querystring (str): The AWS service URL query string. method (str): The HTTP method used to call this API. region (str): The AWS region. access_key (str): The AWS access key ID. secret_key (str): The AWS secret access key. security_token (Optional[str]): The AWS security session token. This is available for temporary sessions. request_payload (Optional[str]): The optional request payload if available. additional_headers (Optional[Mapping[str, str]]): The optional additional headers needed for the requested AWS API. Returns: Mapping[str, str]: The AWS authentication header dictionary object. This contains the x-amz-date and authorization header information. .rz%Y%m%dT%H%M%SZz%Y%m%drdaterz{}{}:{} ;r\z{} {} {} {} {} {}z {}/{}/{}/{}z {} {} {} {}z3{} Credential={}/{}, SignedHeaders={}, Signature={}r%r')splitrutcnowstrftimelowerr:r9rQrRrPrSrTr`rar_ hexdigest_AWS_REQUEST_TYPE_AWS_ALGORITHMrmr]r^)rrrrr r!r"rr#r$rh current_timer'rg full_headersr?canonical_headers header_keyssigned_headers payload_hashcanonical_requestcredential_scopestring_to_sign signing_key signaturer%authentication_headers rr6r6sH::c?1%L??$L$$%56H&&x0JL!$6$; YY[!"!3A/0  \!)1%&|((*+K'.. s$5 XXk*N>>?#8b"@"@"IJTTVL177 %++L*; &,,(//89CCE N#:6PK^**73W^^ik QWW $4ni45IJ \!,4j)  rc^\rSrSrSrSU4SjjrSrSrSrSr Sr S r U4S jr \ U4S j5r\ U4S j5rS rU=r$) CredentialsiUzAWS external account credentials. This is used to exchange serialized AWS signature v4 signed requests to AWS STS GetCallerIdentity service for Google access tokens. c>[[U] "UUUUUS.UD6 U=(d 0nURS5=(d SUlURS5UlURS5UlURS5UlURS5UlSUl SUl Xl [R"S UR5nU(aUR5upOS upUS :wd URc[R "S 5e[#U =(d S5S :wa%[R$"SR'U 55eg)aInstantiates an AWS workload external account credentials object. Args: audience (str): The STS audience field. subject_token_type (str): The subject token type. token_url (str): The STS endpoint URL. credential_source (Mapping): The credential source dictionary used to provide instructions on how to retrieve external credential to be exchanged for Google access tokens. args (List): Optional positional arguments passed into the underlying :meth:`~external_account.Credentials.__init__` method. kwargs (Mapping): Optional keyword arguments passed into the underlying :meth:`~external_account.Credentials.__init__` method. Raises: google.auth.exceptions.RefreshError: If an error is encountered during access token retrieval logic. ValueError: For invalid parameters. .. note:: Typically one of the helper constructors :meth:`from_file` or :meth:`from_info` are used instead of calling the constructor directly. )audiencesubject_token_type token_urlcredential_sourceenvironment_idr region_urlr)regional_cred_verification_urlimdsv2_session_token_urlNz^(aws)([\d]+)$)NNawsz)No valid AWS 'credential_source' providedz7aws version '{}' is not supported in the current build.)superrrr,_environment_id _region_url_security_credentials_url_cred_verification_url_imdsv2_session_token_url_region_request_signer_target_resourcerematchgroupsrr5int InvalidValuerS) rrrrrargskwargsmatchesenv_id env_version __class__s rrCredentials.__init__[s\< k4)  1/    .30445EFL",00>):)>)>u)E&&7&;&; ,' #*;)>)> &* & # (((,d.B.BC ").."2 FK". F U?d99A,,; " #q ())IPP )rcUbvURbiUR5(aTSS0nU"URSUS9nURS:wa![R"SUR 5eUR nOSnUR c;URXRU5Ul [UR5UlURX5nUR RUURRSUR5S 5nURS 5nUR US '0nURS 5US 'URS 5US '/US '[#UR%55Hn US R'XU S.5 M [(R*R-[.R0"USSS95$)aRetrieves the subject token using the credential_source object. The subject token is a serialized `AWS GetCallerIdentity signed request`_. The logic is summarized as: Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION environment variable or from the AWS metadata server availability-zone if not found in the environment variable. Check AWS credentials in environment variables. If not found, retrieve from the AWS metadata server security-credentials endpoint. When retrieving AWS credentials from the metadata server security-credentials endpoint, the AWS role needs to be determined by calling the security-credentials endpoint without any argument. Then the credentials can be retrieved via: security-credentials/role_name Generate the signed request to AWS STS GetCallerIdentity action. Inject x-goog-cloud-target-resource into header and serialize the signed request. This will be the subject-token to pass to GCP STS. .. _AWS GetCallerIdentity signed request: https://cloud.google.com/iam/docs/access-resources-aws#exchange-token Args: request (google.auth.transport.Request): A callable used to make HTTP requests. Returns: str: The retrieved subject token. Nz$X-aws-ec2-metadata-token-ttl-seconds300PUTr(z$Unable to retrieve AWS Session Tokenz{region}POSTr*zx-goog-cloud-target-resourcer)r)r?value),:T) separators sort_keys)r_should_use_metadata_serverstatusr RefreshErrorr+r _get_regionrrr _get_security_credentialsrArreplacer,rsortedrRrOr-r.rNjsondumps) rrequestr*imdsv2_session_token_responseimdsv2_session_tokenr;request_optionsrequest_headersaws_signed_reqr?s rretrieve_subject_token"Credentials.retrieve_subject_tokensD  ..:0022=uEG,3225'- )-33s: --:166 $A#E#E #'     '++))+?DL$1#>D $(#A#A $  ..BB $  ' ' / / DLL I  "*--i8 ;?:O:O67  / 3 3E :u#2#6#6x#@x $&y!/..01C 9 % , ,c&:; 2 ||!! JJ~* M  rc*[RR[R5nUbU$[RR[R 5nUbU$UR (d[R"S5eSnUbSU0nU"UR SUS9n[URS5(aURRS5O URnURS:wa[R"S U5eUSS $) a>Retrieves the current AWS region from either the AWS_REGION or AWS_DEFAULT_REGION environment variable or from the AWS metadata server. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. url (str): The AWS metadata server region URL. imdsv2_session_token (str): The AWS IMDSv2 session token to be added as a header in the requests to AWS metadata endpoint. Returns: str: The current AWS region. Raises: google.auth.exceptions.RefreshError: If an error occurs while retrieving the AWS region. NzUnable to determine AWS regionX-aws-ec2-metadata-tokenGETr(decoder\rzUnable to retrieve AWS region) osenvironr,r AWS_REGIONAWS_DEFAULT_REGIONrrrhasattrr+rr)rrr)renv_aws_regionr*response response_bodys rrCredentials._get_regions*(8(C(CD  %! !(8(K(KL  %! !))*JK K  +13GHGt//wO x}}h// MM  )  ??c !))/  Sb!!rc[RR[R5n[RR[R 5n[RR[R 5nU(a U(aUUUS.$URX5nURXU5nURS5URS5URS5S.$)a`Retrieves the AWS security credentials required for signing AWS requests from either the AWS security credentials environment variables or from the AWS metadata server. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. imdsv2_session_token (str): The AWS IMDSv2 session token to be added as a header in the requests to AWS metadata endpoint. Returns: Mapping[str, str]: The AWS security credentials dictionary object. Raises: google.auth.exceptions.RefreshError: If an error occurs while retrieving the AWS security credentials. )rrr AccessKeyIdSecretAccessKeyToken) rrr,rAWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_SESSION_TOKEN_get_metadata_role_name"_get_metadata_security_credentials)rrrenv_aws_access_key_idenv_aws_secret_access_keyenv_aws_session_token role_name credentialss rr%Credentials._get_security_credentialsFs*!# /?/Q/Q R$&JJNN  2 2% !!# /?/Q/Q R %>!6%>"7 00O ==  4 )__];!,1B!C)oog6  rczSS0nUbX4S'U"SRURU5SUS9n[URS5(aURR S5O URnUR [ R:wa[R"S U5e[R"U5nU$) aRetrieves the AWS security credentials required for signing AWS requests from the AWS metadata server. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. role_name (str): The AWS role name required by the AWS metadata server security_credentials endpoint in order to return the credentials. imdsv2_session_token (str): The AWS IMDSv2 session token to be added as a header in the requests to AWS metadata endpoint. Returns: Mapping[str, str]: The AWS metadata server security credentials response. Raises: google.auth.exceptions.RefreshError: If an error occurs while retrieving the AWS security credentials. z Content-Typezapplication/jsonrz{}/{}rr(rr\z+Unable to retrieve AWS security credentials) rSrrr+rr http_clientOKrrrloads)rrrrr*rrcredentials_responses rr.Credentials._get_metadata_security_credentialsvs."#56  +2F. /t==yI x}}h// MM  )  ??knn ,))=}  $zz-8##rcpURc[R"S5eSnUbSU0nU"URSUS9n[URS5(aURR S5O URnUR [R:wa[R"SU5eU$) aRetrieves the AWS role currently attached to the current AWS workload by querying the AWS metadata server. This is needed for the AWS metadata server security credentials endpoint in order to retrieve the AWS security credentials needed to sign requests to AWS APIs. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. imdsv2_session_token (str): The AWS IMDSv2 session token to be added as a header in the requests to AWS metadata endpoint. Returns: str: The AWS role name. Raises: google.auth.exceptions.RefreshError: If an error occurs while retrieving the AWS role name. NzIUnable to determine the AWS metadata server security credentials endpointrrr(rr\z Unable to retrieve AWS role name) rrrrr+rrrr)rrrr*rrs rr#Credentials._get_metadata_role_names&  ) ) 1))[   +13GHG..ug x}}h// MM  )  ??knn ,))2M rc[RR[R5(d3[RR[R 5(dg[RR[R 5(a2[RR[R5(dgg)NTF)rrr,rrrrr)rs rr'Credentials._should_use_metadata_serverszz~~.99::2::>>  / /D D  zz~~.@@AA  2 2J J rc6>[[U] 5nSUS'U$)Nrsource)rr_create_default_metrics_options)rmetrics_optionsrs rr+Credentials._create_default_metrics_optionss" TRT$)!rc .>[[U] "U40UD6$)aZCreates an AWS Credentials instance from parsed external account info. Args: info (Mapping[str, str]): The AWS external account info in Google format. kwargs: Additional arguments to pass to the constructor. Returns: google.auth.aws.Credentials: The constructed credentials. Raises: ValueError: For invalid parameters. )rr from_info)clsinforrs rrCredentials.from_infos[#0@@@rc .>[[U] "U40UD6$)aCreates an AWS Credentials instance from an external account json file. Args: filename (str): The path to the AWS external account json file. kwargs: Additional arguments to pass to the constructor. Returns: google.auth.aws.Credentials: The constructed credentials. )rr from_file)rfilenamerrs rrCredentials.from_files[#0DVDDr)rrrrrrrr)N)rCrDrErFrGrrrrrrrr classmethodrrrH __classcell__)rs@rrrUsi DLm ^4"l. `/$b,\& AA  E Err)rGr`r] http.clientclientrrrr0rr- urllib.parser google.authrrrrrxrwr:r9objectr r7rdrmr6rrIrrrs2 !  ("($#3ZFZz!/H G<l!^tE"..tEr