istio.io/istio@v0.0.0-20240520182934-d79c90f27776/security/tools/jwt/sa-jwt.py

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/security/tools/jwt/sa-jwt.py (about)

     1  #!/usr/bin/python
     2  
     3  # Copyright 2018 Istio Authors
     4  #
     5  # Licensed under the Apache License, Version 2.0 (the "License");
     6  # you may not use this file except in compliance with the License.
     7  # You may obtain a copy of the License at
     8  #
     9  #     http://www.apache.org/licenses/LICENSE-2.0
    10  #
    11  # Unless required by applicable law or agreed to in writing, software
    12  # distributed under the License is distributed on an "AS IS" BASIS,
    13  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14  # See the License for the specific language governing permissions and
    15  # limitations under the License.
    16  
    17  """Python script generates a JWT signed by a Google service account
    18  
    19  Example:
    20  ./sa-jwt.py  --iss example-issuer --aud foo,bar --claims=email:foo@google.com,dead:beef key.json
    21  """
    22  from __future__ import print_function
    23  import argparse
    24  import time
    25  
    26  import google.auth.crypt
    27  import google.auth.jwt
    28  
    29  
    30  def main(args):
    31      """Generates a signed JSON Web Token using a Google API Service Account."""
    32      signer = google.auth.crypt.RSASigner.from_service_account_file(
    33          args.service_account_file)
    34      now = int(time.time())
    35      payload = {
    36          # expire in one hour.
    37          "exp": now + 3600,
    38          "iat": now,
    39      }
    40      if args.iss:
    41          payload["iss"] = args.iss
    42  
    43      if args.sub:
    44          payload["sub"] = args.sub
    45      else:
    46          payload["sub"] = args.iss
    47  
    48      if args.aud:
    49          if "," in args.aud:
    50              payload["aud"] = args.aud.split(",")
    51          else:
    52              payload["aud"] = args.aud
    53  
    54      if args.claims:
    55          for item in args.claims.split(","):
    56              k, v = item.split(':')
    57              payload[k] = v
    58  
    59      signed_jwt = google.auth.jwt.encode(signer, payload)
    60      return signed_jwt
    61  
    62  
    63  if __name__ == '__main__':
    64      parser = argparse.ArgumentParser(
    65          description=__doc__,
    66          formatter_class=argparse.RawDescriptionHelpFormatter)
    67      # positional arguments
    68      parser.add_argument(
    69          'service_account_file',
    70          help='The path to your service account key file (in JSON format).')
    71      # optional arguments
    72      parser.add_argument("-iss", "--iss",
    73                          help="iss claim. This should be your service account email.")
    74      parser.add_argument("-aud", "--aud",
    75                          help="aud claim. This is comma-separated-list of audiences")
    76      parser.add_argument("-sub", "--sub",
    77                          help="sub claim. If not provided, it is set to the same as iss claim.")
    78      parser.add_argument("-claims", "--claims",
    79                          help="Other claims in format name1:value1,name2:value2 etc. Only string values are supported.")
    80      print(main(parser.parse_args()))