# Copyright 2016 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """Example use of a service account to authenticate to Identity-Aware Proxy.""" # [START iap_make_request] from google.auth.transport.requests import Request from google.oauth2 import id_token import requests def make_iap_request(url, client_id, method="GET", **kwargs): """Makes a request to an application protected by Identity-Aware Proxy. Args: url: The Identity-Aware Proxy-protected URL to fetch. client_id: The client ID used by Identity-Aware Proxy. method: The request method to use ('GET', 'OPTIONS', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE') **kwargs: Any of the parameters defined for the request function: https://github.com/requests/requests/blob/master/requests/api.py If no timeout is provided, it is set to 90 by default. Returns: The page body, or raises an exception if the page couldn't be retrieved. """ # Set the default timeout, if missing if "timeout" not in kwargs: kwargs["timeout"] = 90 # Obtain an OpenID Connect (OIDC) token from metadata server or using service # account. open_id_connect_token = id_token.fetch_id_token(Request(), client_id) # Fetch the Identity-Aware Proxy-protected URL, including an # Authorization header containing "Bearer " followed by a # Google-issued OpenID Connect token for the service account. resp = requests.request( method, url, headers={"Authorization": "Bearer {}".format(open_id_connect_token)}, **kwargs ) if resp.status_code == 403: raise Exception( "Service account does not have permission to " "access the IAP-protected application." ) elif resp.status_code != 200: raise Exception( "Bad response from application: {!r} / {!r} / {!r}".format( resp.status_code, resp.headers, resp.text ) ) else: return resp.text # [END iap_make_request]