How to get a GCP identity-token programmatically with python

Question

What is the python programmatic alternative to the gcloud command line gcloud auth print-identity-token?

I am trying to invoke Google Cloud Function by http trigger (only for auth users) and i need to pass the identity token in the Authentication header. I have method which works great when i run the code on GCP app engine. However, i struggle to find a way to get this identity token when i run the program on my own machine (where i can create the token with gcloud command line gcloud auth print-identity-token)

I found how to create access-token according to this answer but i didn't managed to understand how can i create identity-token.

Thank you in advance!

Answer 1

Great topic! And it's a long long way, and months of tests and discussion with Google.

TL;DR: you can't generate an identity token with your user credential, you need to have a service account (or to impersonate a service) to generate an identity token.

If you have a service account key file, I can share a piece of code to generate an identity token, but generating and having a service account key file is globally a bad practice.

---

I released an article on this and 2 merge requests to implement an evolution in the Java Google auth library (I'm more Java developer that python developer even if I also contribute to python OSS project) here and here. You can read them if you want to understand what is missing and how works the gcloud command today.

On the latest merge request, I understood that something is coming from google, internally, but up to now, I didn't see anything...

Answer 2

Struggled a bit to find the ideal solution for generating the token programatically, but found it in the official documentation itself eventually.

Sharing the python code snippet from the same

import urllib

import google.auth.transport.requests
import google.oauth2.id_token


def make_authorized_get_request(endpoint, audience):
    """
    make_authorized_get_request makes a GET request to the specified HTTP endpoint
    by authenticating with the ID token obtained from the google-auth client library
    using the specified audience value.
    """

    # Cloud Functions uses your function's URL as the `audience` value
    # audience = https://project-region-projectid.cloudfunctions.net/myFunction
    # For Cloud Functions, `endpoint` and `audience` should be equal

    req = urllib.request.Request(endpoint)

    auth_req = google.auth.transport.requests.Request()
    id_token = google.oauth2.id_token.fetch_id_token(auth_req, audience)

    req.add_header("Authorization", f"Bearer {id_token}")
    response = urllib.request.urlopen(req)

    return response.read()

Here's the link, hope it helps. Worked for me.