From 4feb6448ab65267a084ee8a35ee9a5ac4fbe3ba7 Mon Sep 17 00:00:00 2001 From: Daniel Sanche Date: Mon, 30 Mar 2026 15:19:41 -0700 Subject: [PATCH 1/6] chore(auth): add test scripts back to repo --- .../google-auth/scripts/decrypt-secrets.sh | 34 ++++++ .../google-auth/scripts/encrypt-secrets.sh | 34 ++++++ .../scripts/setup_external_accounts.sh | 113 ++++++++++++++++++ 3 files changed, 181 insertions(+) create mode 100755 packages/google-auth/scripts/decrypt-secrets.sh create mode 100755 packages/google-auth/scripts/encrypt-secrets.sh create mode 100755 packages/google-auth/scripts/setup_external_accounts.sh diff --git a/packages/google-auth/scripts/decrypt-secrets.sh b/packages/google-auth/scripts/decrypt-secrets.sh new file mode 100755 index 000000000000..7e7f03bdca53 --- /dev/null +++ b/packages/google-auth/scripts/decrypt-secrets.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +ROOT=$( dirname "$DIR" ) + +# Work from the project root. +cd $ROOT + +# Create working directory if not exists. system_tests/data is not tracked by +# Git to prevent the secrets from being leaked online. +mkdir -p system_tests/data + +gcloud kms decrypt \ + --location=global \ + --keyring=ci \ + --key=kokoro-secrets \ + --ciphertext-file=system_tests/secrets.tar.enc \ + --plaintext-file=system_tests/secrets.tar +tar xvf system_tests/secrets.tar +rm system_tests/secrets.tar diff --git a/packages/google-auth/scripts/encrypt-secrets.sh b/packages/google-auth/scripts/encrypt-secrets.sh new file mode 100755 index 000000000000..fba27fba0f9d --- /dev/null +++ b/packages/google-auth/scripts/encrypt-secrets.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +ROOT=$( dirname "$DIR" ) + +# Work from the project root. +cd $ROOT + +tar cvf system_tests/secrets.tar system_tests/data + +gcloud kms encrypt \ + --location=global \ + --keyring=ci \ + --key=kokoro-secrets \ + --plaintext-file=system_tests/secrets.tar \ + --ciphertext-file=system_tests/secrets.tar.enc + +rm system_tests/secrets.tar + +rm system_tests/data \ No newline at end of file diff --git a/packages/google-auth/scripts/setup_external_accounts.sh b/packages/google-auth/scripts/setup_external_accounts.sh new file mode 100755 index 000000000000..ecc879b9395f --- /dev/null +++ b/packages/google-auth/scripts/setup_external_accounts.sh @@ -0,0 +1,113 @@ +#!/bin/bash +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file is a mostly common setup file to ensure all workload identity +# federation integration tests are set up in a consistent fashion across the +# languages in our various client libraries. It assumes that the current user +# has the relevant permissions to run each of the commands listed. + +# This script needs to be run once. It will do the following: +# 1. Create a random workload identity pool. +# 2. Create a random OIDC provider in that pool which uses the +# accounts.google.com as the issuer and the default STS audience as the +# allowed audience. This audience will be validated on STS token exchange. +# 3. Enable OIDC tokens generated by the current service account to impersonate +# the service account. (Identified by the OIDC token sub field which is the +# service account client ID). +# 4. Create a random AWS provider in that pool which uses the provided AWS +# account ID. +# 5. Enable AWS provider to impersonate the service account. (Principal is +# identified by the AWS role name). +# 6. Print out the STS audience fields associated with the created providers +# after the setup completes successfully so that they can be used in the +# tests. These will be copied and used as the global _AUDIENCE_OIDC and +# _AUDIENCE_AWS constants in system_tests/system_tests_sync/test_external_accounts.py. +# +# It is safe to run the setup script again. A new pool is created and new +# audiences are printed. If run multiple times, it is advisable to delete +# unused pools. Note that deleted pools are soft deleted and may remain for +# a while before they are completely deleted. The old pool ID cannot be used +# in the meantime. +# +# For AWS tests, an AWS developer account is needed. +# The following AWS prerequisite setup is needed. +# 1. An OIDC Google identity provider needs to be created with the following: +# issuer: accounts.google.com +# audience: Use the client_id of the service account. +# 2. A role for OIDC web identity federation is needed with the created Google +# provider as a trusted entity: +# "accounts.google.com:aud": "$CLIENT_ID" +# The steps are documented at: +# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html + +suffix="" + +function generate_random_string () { + local valid_chars=abcdefghijklmnopqrstuvwxyz0123456789 + for i in {1..8} ; do + suffix+="${valid_chars:RANDOM%${#valid_chars}:1}" + done +} + +generate_random_string + +pool_id="pool-"$suffix +oidc_provider_id="oidc-"$suffix +aws_provider_id="aws-"$suffix + +# TODO: Fill in. +project_id="stellar-day-254222" +project_number="79992041559" +aws_account_id="077071391996" +aws_role_name="ci-python-test" +service_account_email="kokoro@stellar-day-254222.iam.gserviceaccount.com" +sub="104692443208068386138" + +oidc_aud="//iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/providers/$oidc_provider_id" +aws_aud="//iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/providers/$aws_provider_id" + +gcloud config set project $project_id + +# Create the Workload Identity Pool. +gcloud beta iam workload-identity-pools create $pool_id \ + --location="global" \ + --description="Test pool" \ + --display-name="Test pool for Python" + +# Create the OIDC Provider. +gcloud beta iam workload-identity-pools providers create-oidc $oidc_provider_id \ + --workload-identity-pool=$pool_id \ + --issuer-uri="https://accounts.google.com" \ + --location="global" \ + --attribute-mapping="google.subject=assertion.sub" + +# Create the AWS Provider. +gcloud beta iam workload-identity-pools providers create-aws $aws_provider_id \ + --workload-identity-pool=$pool_id \ + --account-id=$aws_account_id \ + --location="global" + +# Give permission to impersonate the service account. +gcloud iam service-accounts add-iam-policy-binding $service_account_email \ +--role roles/iam.workloadIdentityUser \ +--member "principal://iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/subject/$sub" + +gcloud iam service-accounts add-iam-policy-binding $service_account_email \ + --role roles/iam.workloadIdentityUser \ + --member "principalSet://iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/attribute.aws_role/arn:aws:sts::$aws_account_id:assumed-role/$aws_role_name" + +echo "OIDC audience: "$oidc_aud +echo "AWS audience: "$aws_aud +echo "AWS role: arn:aws:iam::$aws_account_id:role/$aws_role_name" From e1e6626582c8bf57b3eed5d6fa633b1a9626b8f1 Mon Sep 17 00:00:00 2001 From: Daniel Sanche Date: Mon, 30 Mar 2026 15:24:43 -0700 Subject: [PATCH 2/6] emptied out default values --- .../google-auth/scripts/setup_external_accounts.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/google-auth/scripts/setup_external_accounts.sh b/packages/google-auth/scripts/setup_external_accounts.sh index ecc879b9395f..22d4aa50ba94 100755 --- a/packages/google-auth/scripts/setup_external_accounts.sh +++ b/packages/google-auth/scripts/setup_external_accounts.sh @@ -68,12 +68,12 @@ oidc_provider_id="oidc-"$suffix aws_provider_id="aws-"$suffix # TODO: Fill in. -project_id="stellar-day-254222" -project_number="79992041559" -aws_account_id="077071391996" -aws_role_name="ci-python-test" -service_account_email="kokoro@stellar-day-254222.iam.gserviceaccount.com" -sub="104692443208068386138" +project_id="" +project_number="" +aws_account_id="" +aws_role_name="" +service_account_email="" +sub="" oidc_aud="//iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/providers/$oidc_provider_id" aws_aud="//iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/providers/$aws_provider_id" From a712ba94fc962fb9f53bd3bf1a7d66fb5b6d5204 Mon Sep 17 00:00:00 2001 From: Daniel Sanche Date: Mon, 30 Mar 2026 15:36:25 -0700 Subject: [PATCH 3/6] improve token handling --- .../system_tests/system_tests_sync/test_external_accounts.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/google-auth/system_tests/system_tests_sync/test_external_accounts.py b/packages/google-auth/system_tests/system_tests_sync/test_external_accounts.py index eb15a011df56..6c489682dba3 100644 --- a/packages/google-auth/system_tests/system_tests_sync/test_external_accounts.py +++ b/packages/google-auth/system_tests/system_tests_sync/test_external_accounts.py @@ -65,9 +65,10 @@ def dns_access_direct(request, project_id): # Apply the default credentials to the headers to make the request. headers = {} - credentials.apply(headers) + url = "https://dns.googleapis.com/dns/v1/projects/{}".format(project_id) + credentials.before_request(request, "GET", url, headers) response = request( - url="https://dns.googleapis.com/dns/v1/projects/{}".format(project_id), + url=url, headers=headers, ) From 6e2830ee8f65c5d10dda5a66b192ab7f0ed202d4 Mon Sep 17 00:00:00 2001 From: Daniel Sanche Date: Mon, 30 Mar 2026 16:16:43 -0700 Subject: [PATCH 4/6] refresh token --- .../system_tests/system_tests_sync/test_external_accounts.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/google-auth/system_tests/system_tests_sync/test_external_accounts.py b/packages/google-auth/system_tests/system_tests_sync/test_external_accounts.py index 6c489682dba3..32a3af49882a 100644 --- a/packages/google-auth/system_tests/system_tests_sync/test_external_accounts.py +++ b/packages/google-auth/system_tests/system_tests_sync/test_external_accounts.py @@ -214,6 +214,8 @@ def check_impersonation_expiration(): request=http_request, ) + credentials.refresh(http_request) + utcmax = _helpers.utcnow() + datetime.timedelta(seconds=TOKEN_LIFETIME_SECONDS) utcmin = utcmax - datetime.timedelta(seconds=BUFFER_SECONDS) assert utcmin < credentials._impersonated_credentials.expiry <= utcmax From 033f17e5736c174df197282100575800a8ff7f7d Mon Sep 17 00:00:00 2001 From: Daniel Sanche Date: Mon, 30 Mar 2026 18:03:39 -0700 Subject: [PATCH 5/6] Apply suggestions from code review Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- packages/google-auth/scripts/decrypt-secrets.sh | 3 ++- packages/google-auth/scripts/encrypt-secrets.sh | 2 +- packages/google-auth/scripts/setup_external_accounts.sh | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/google-auth/scripts/decrypt-secrets.sh b/packages/google-auth/scripts/decrypt-secrets.sh index 7e7f03bdca53..4ebda8714563 100755 --- a/packages/google-auth/scripts/decrypt-secrets.sh +++ b/packages/google-auth/scripts/decrypt-secrets.sh @@ -1,4 +1,5 @@ #!/bin/bash +set -e # Copyright 2015 Google Inc. All rights reserved. # @@ -18,7 +19,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" ROOT=$( dirname "$DIR" ) # Work from the project root. -cd $ROOT +cd "$ROOT" # Create working directory if not exists. system_tests/data is not tracked by # Git to prevent the secrets from being leaked online. diff --git a/packages/google-auth/scripts/encrypt-secrets.sh b/packages/google-auth/scripts/encrypt-secrets.sh index fba27fba0f9d..f4c9cac25d86 100755 --- a/packages/google-auth/scripts/encrypt-secrets.sh +++ b/packages/google-auth/scripts/encrypt-secrets.sh @@ -31,4 +31,4 @@ gcloud kms encrypt \ rm system_tests/secrets.tar -rm system_tests/data \ No newline at end of file +rm -rf system_tests/data \ No newline at end of file diff --git a/packages/google-auth/scripts/setup_external_accounts.sh b/packages/google-auth/scripts/setup_external_accounts.sh index 22d4aa50ba94..230ae6372a52 100755 --- a/packages/google-auth/scripts/setup_external_accounts.sh +++ b/packages/google-auth/scripts/setup_external_accounts.sh @@ -1,4 +1,5 @@ #!/bin/bash +set -e # Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); From 0d72206fed464282247e1e462c3ed7c0115ba9cc Mon Sep 17 00:00:00 2001 From: Daniel Sanche Date: Tue, 31 Mar 2026 13:55:17 -0700 Subject: [PATCH 6/6] removed scripts --- .../google-auth/scripts/decrypt-secrets.sh | 35 ------ .../google-auth/scripts/encrypt-secrets.sh | 34 ------ .../scripts/setup_external_accounts.sh | 114 ------------------ 3 files changed, 183 deletions(-) delete mode 100755 packages/google-auth/scripts/decrypt-secrets.sh delete mode 100755 packages/google-auth/scripts/encrypt-secrets.sh delete mode 100755 packages/google-auth/scripts/setup_external_accounts.sh diff --git a/packages/google-auth/scripts/decrypt-secrets.sh b/packages/google-auth/scripts/decrypt-secrets.sh deleted file mode 100755 index 4ebda8714563..000000000000 --- a/packages/google-auth/scripts/decrypt-secrets.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash -set -e - -# Copyright 2015 Google Inc. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -ROOT=$( dirname "$DIR" ) - -# Work from the project root. -cd "$ROOT" - -# Create working directory if not exists. system_tests/data is not tracked by -# Git to prevent the secrets from being leaked online. -mkdir -p system_tests/data - -gcloud kms decrypt \ - --location=global \ - --keyring=ci \ - --key=kokoro-secrets \ - --ciphertext-file=system_tests/secrets.tar.enc \ - --plaintext-file=system_tests/secrets.tar -tar xvf system_tests/secrets.tar -rm system_tests/secrets.tar diff --git a/packages/google-auth/scripts/encrypt-secrets.sh b/packages/google-auth/scripts/encrypt-secrets.sh deleted file mode 100755 index f4c9cac25d86..000000000000 --- a/packages/google-auth/scripts/encrypt-secrets.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/bash - -# Copyright 2015 Google Inc. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -ROOT=$( dirname "$DIR" ) - -# Work from the project root. -cd $ROOT - -tar cvf system_tests/secrets.tar system_tests/data - -gcloud kms encrypt \ - --location=global \ - --keyring=ci \ - --key=kokoro-secrets \ - --plaintext-file=system_tests/secrets.tar \ - --ciphertext-file=system_tests/secrets.tar.enc - -rm system_tests/secrets.tar - -rm -rf system_tests/data \ No newline at end of file diff --git a/packages/google-auth/scripts/setup_external_accounts.sh b/packages/google-auth/scripts/setup_external_accounts.sh deleted file mode 100755 index 230ae6372a52..000000000000 --- a/packages/google-auth/scripts/setup_external_accounts.sh +++ /dev/null @@ -1,114 +0,0 @@ -#!/bin/bash -set -e -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This file is a mostly common setup file to ensure all workload identity -# federation integration tests are set up in a consistent fashion across the -# languages in our various client libraries. It assumes that the current user -# has the relevant permissions to run each of the commands listed. - -# This script needs to be run once. It will do the following: -# 1. Create a random workload identity pool. -# 2. Create a random OIDC provider in that pool which uses the -# accounts.google.com as the issuer and the default STS audience as the -# allowed audience. This audience will be validated on STS token exchange. -# 3. Enable OIDC tokens generated by the current service account to impersonate -# the service account. (Identified by the OIDC token sub field which is the -# service account client ID). -# 4. Create a random AWS provider in that pool which uses the provided AWS -# account ID. -# 5. Enable AWS provider to impersonate the service account. (Principal is -# identified by the AWS role name). -# 6. Print out the STS audience fields associated with the created providers -# after the setup completes successfully so that they can be used in the -# tests. These will be copied and used as the global _AUDIENCE_OIDC and -# _AUDIENCE_AWS constants in system_tests/system_tests_sync/test_external_accounts.py. -# -# It is safe to run the setup script again. A new pool is created and new -# audiences are printed. If run multiple times, it is advisable to delete -# unused pools. Note that deleted pools are soft deleted and may remain for -# a while before they are completely deleted. The old pool ID cannot be used -# in the meantime. -# -# For AWS tests, an AWS developer account is needed. -# The following AWS prerequisite setup is needed. -# 1. An OIDC Google identity provider needs to be created with the following: -# issuer: accounts.google.com -# audience: Use the client_id of the service account. -# 2. A role for OIDC web identity federation is needed with the created Google -# provider as a trusted entity: -# "accounts.google.com:aud": "$CLIENT_ID" -# The steps are documented at: -# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html - -suffix="" - -function generate_random_string () { - local valid_chars=abcdefghijklmnopqrstuvwxyz0123456789 - for i in {1..8} ; do - suffix+="${valid_chars:RANDOM%${#valid_chars}:1}" - done -} - -generate_random_string - -pool_id="pool-"$suffix -oidc_provider_id="oidc-"$suffix -aws_provider_id="aws-"$suffix - -# TODO: Fill in. -project_id="" -project_number="" -aws_account_id="" -aws_role_name="" -service_account_email="" -sub="" - -oidc_aud="//iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/providers/$oidc_provider_id" -aws_aud="//iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/providers/$aws_provider_id" - -gcloud config set project $project_id - -# Create the Workload Identity Pool. -gcloud beta iam workload-identity-pools create $pool_id \ - --location="global" \ - --description="Test pool" \ - --display-name="Test pool for Python" - -# Create the OIDC Provider. -gcloud beta iam workload-identity-pools providers create-oidc $oidc_provider_id \ - --workload-identity-pool=$pool_id \ - --issuer-uri="https://accounts.google.com" \ - --location="global" \ - --attribute-mapping="google.subject=assertion.sub" - -# Create the AWS Provider. -gcloud beta iam workload-identity-pools providers create-aws $aws_provider_id \ - --workload-identity-pool=$pool_id \ - --account-id=$aws_account_id \ - --location="global" - -# Give permission to impersonate the service account. -gcloud iam service-accounts add-iam-policy-binding $service_account_email \ ---role roles/iam.workloadIdentityUser \ ---member "principal://iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/subject/$sub" - -gcloud iam service-accounts add-iam-policy-binding $service_account_email \ - --role roles/iam.workloadIdentityUser \ - --member "principalSet://iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/attribute.aws_role/arn:aws:sts::$aws_account_id:assumed-role/$aws_role_name" - -echo "OIDC audience: "$oidc_aud -echo "AWS audience: "$aws_aud -echo "AWS role: arn:aws:iam::$aws_account_id:role/$aws_role_name"