cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[GCE] Support default credentials (#22723)

Browse source 
Add support for default credentials. Practically, this means that a playbook creator would not have to specify the service_account_email or credentials_file Ansible parameters.

Default Credentials only work when running on Google Cloud Platform. The 'project_id' is still required.

A test has been added to trigger this condition.
This commit is contained in:
Tom Melendez 2017-03-16 17:10:07 -07:00 committed by Matt Davis
parent ffa4f0c427
commit f5f6cf467e
2 changed files with 72 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
lib/ansible/module_utils/gcp.py
View file

@ -155,6 +155,8 @@ def _get_gcp_credentials(module, require_valid_json=True, check_libcloud=False):
Additionally, flags may be set to require valid json and check the libcloud Additionally, flags may be set to require valid json and check the libcloud
version. version.
AnsibleModule.fail_json is called only if the project_id cannot be found.
:param module: initialized Ansible module object :param module: initialized Ansible module object
:type module: `class AnsibleModule` :type module: `class AnsibleModule`
@ -190,16 +192,24 @@ def _get_gcp_credentials(module, require_valid_json=True, check_libcloud=False):
if credentials_file is None or project_id is None or service_account_email is None: if credentials_file is None or project_id is None or service_account_email is None:
if check_libcloud is True: if check_libcloud is True:
if project_id is None:
# TODO(supertom): this message is legacy and integration tests depend on it. # TODO(supertom): this message is legacy and integration tests depend on it.
module.fail_json(msg='Missing GCE connection parameters in libcloud ' module.fail_json(msg='Missing GCE connection parameters in libcloud '
'secrets file.') 'secrets file.')
return None
else: else:
if credentials_file is None or project_id is None: if project_id is None:
module.fail_json(msg=('GCP connection error: unable to determine project (%s) or ' module.fail_json(msg=('GCP connection error: unable to determine project (%s) or '
'credentials file (%s)' % (project_id, credentials_file))) 'credentials file (%s)' % (project_id, credentials_file)))
# Set these fields to empty strings if they are None
# consumers of this will make the distinction between an empty string
# and None.
if credentials_file is None:
credentials_file = ''
if service_account_email is None:
service_account_email = ''
# ensure the credentials file is found and is in the proper format. # ensure the credentials file is found and is in the proper format.
if credentials_file:
_validate_credentials_file(module, credentials_file, _validate_credentials_file(module, credentials_file,
require_valid_json=require_valid_json, require_valid_json=require_valid_json,
check_libcloud=check_libcloud) check_libcloud=check_libcloud)
@ -279,6 +289,9 @@ def get_google_cloud_credentials(module, scopes=[]):
""" """
Get credentials object for use with Google Cloud client. Get credentials object for use with Google Cloud client.
Attempts to obtain credentials by calling _get_gcp_credentials. If those are
not present will attempt to connect via Application Default Credentials.
To connect via libcloud, don't use this function, use gcp_connect instead. For To connect via libcloud, don't use this function, use gcp_connect instead. For
Google Python API Client, see get_google_api_auth for how to connect. Google Python API Client, see get_google_api_auth for how to connect.
@ -314,8 +327,10 @@ def get_google_cloud_credentials(module, scopes=[]):
if scopes: if scopes:
credentials = credentials.with_scopes(scopes) credentials = credentials.with_scopes(scopes)
else: else:
credentials = google.auth.default( (credentials, project_id) = google.auth.default(
scopes=scopes)[0] scopes=scopes)
if project_id is not None:
conn_params['project_id'] = project_id
return (credentials, conn_params) return (credentials, conn_params)
except Exception as e: except Exception as e:

47
test/units/module_utils/gcp/test_auth.py
View file

@ -1,5 +1,5 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# (c) 2016, Tom Melendez <tom@supertom.com> # (c) 2016, Tom Melendez (@supertom) <tom@supertom.com>
# #
# This file is part of Ansible # This file is part of Ansible
# #
@ -18,8 +18,10 @@
import os import os
import sys import sys
import pytest
from ansible.compat.tests import mock, unittest from ansible.compat.tests import mock, unittest
from ansible.module_utils.gcp import (_get_gcp_ansible_credentials, _get_gcp_environ_var, from ansible.module_utils.gcp import (_get_gcp_ansible_credentials, _get_gcp_credentials, _get_gcp_environ_var,
_get_gcp_libcloud_credentials, _get_gcp_environment_credentials, _get_gcp_libcloud_credentials, _get_gcp_environment_credentials,
_validate_credentials_file) _validate_credentials_file)
@ -31,21 +33,32 @@ def fake_get_gcp_environ_var(var_name, default_value):
else: else:
return fake_env_data[var_name] return fake_env_data[var_name]
class GCPAuthTestCase(unittest.TestCase): # Fake AnsibleModule for use in tests
"""Tests to verify different Auth mechanisms.""" class FakeModule(object):
def test_get_gcp_ansible_credentials(self):
# create a fake (AnsibleModule) object to pass to the function
class FakeModule(object):
class Params(): class Params():
data = {} data = {}
def get(self, key, alt=None): def get(self, key, alt=None):
if key in self.data: if key in self.data:
return self.data[key] return self.data[key]
else: else:
return alt return alt
def __init__(self, data={}): def __init__(self, data={}):
self.params = FakeModule.Params() self.params = FakeModule.Params()
self.params.data = data self.params.data = data
def fail_json(self, **kwargs):
raise ValueError("fail_json")
class GCPAuthTestCase(unittest.TestCase):
"""Tests to verify different Auth mechanisms."""
def setup_method(self, method):
global fake_env_data
fake_env_data = {'GCE_EMAIL': 'gce-email'}
def test_get_gcp_ansible_credentials(self):
input_data = {'service_account_email': 'mysa', input_data = {'service_account_email': 'mysa',
'credentials_file': 'path-to-file.json', 'credentials_file': 'path-to-file.json',
'project_id': 'my-cool-project'} 'project_id': 'my-cool-project'}
@ -179,3 +192,23 @@ class GCPAuthTestCase(unittest.TestCase):
expected = tuple(['my-sa-email', '/path/to/creds.json', 'my-project']) expected = tuple(['my-sa-email', '/path/to/creds.json', 'my-project'])
actual = _get_gcp_environment_credentials('my-sa-email', '/path/to/creds.json', None) actual = _get_gcp_environment_credentials('my-sa-email', '/path/to/creds.json', None)
self.assertEqual(expected, actual) self.assertEqual(expected, actual)
@mock.patch('ansible.module_utils.gcp._get_gcp_environ_var',
side_effect=fake_get_gcp_environ_var)
def test_get_gcp_credentials(self, mockobj):
global fake_env_data
fake_env_data = {}
module = FakeModule()
module.params.data = {}
# Nothing is set, calls fail_json
with pytest.raises(ValueError):
_get_gcp_credentials(module)
# project_id (only) is set from Ansible params.
module.params.data['project_id'] = 'my-project'
actual = _get_gcp_credentials(module, require_valid_json=True, check_libcloud=False)
expected = {'service_account_email': '',
'project_id': 'my-project',
'credentials_file': ''}
self.assertEqual(expected, actual)