feat: VM Indentity samples added. (#5884)

* feat: VM Indentity samples added.

Co-authored-by: Charles Engelke <[email protected]>

Author: m-strzelczyk

compute/metadata/requirements.txt

@@ -1 +1,2 @@
 requests==2.25.1
+google-auth==1.30.0

compute/metadata/vm_identity.py

@@ -0,0 +1,65 @@
+#!/usr/bin/env python
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START compute_vm_identity_verify_token]
+import pprint
+
+import google.auth.transport.requests
+from google.oauth2 import id_token
+
+# [END compute_vm_identity_verify_token]
+
+# [START compute_vm_identity_acquire_token]
+import requests
+
+AUDIENCE_URL = 'http://www.example.com'
+METADATA_HEADERS = {'Metadata-Flavor': 'Google'}
+METADATA_VM_IDENTITY_URL = 'http://metadata.google.internal/computeMetadata/v1/' \
+                           'instance/service-accounts/default/identity?' \
+                           'audience={}&format={}&licenses={}'
+FORMAT = 'full'
+LICENSES = 'TRUE'
+
+
+def acquire_token(audience: str = AUDIENCE_URL) -> str:
+    # Construct a URL with the audience and format.
+    url = METADATA_VM_IDENTITY_URL.format(audience, FORMAT, LICENSES)
+
+    # Request a token from the metadata server.
+    r = requests.get(url, headers=METADATA_HEADERS)
+    # Extract and return the token from the response.
+    r.raise_for_status()
+    return r.text
+
+
+# [END compute_vm_identity_acquire_token]
+
+# [START compute_vm_identity_verify_token]
+
+
+def verity_token(token: str, audience: str) -> dict:
+    """Verify token signature and return the token payload"""
+    request = google.auth.transport.requests.Request()
+    payload = id_token.verify_token(token, request=request, audience=audience)
+    return payload
+
+# [END compute_vm_identity_verify_token]
+
+
+if __name__ == '__main__':
+    token_ = acquire_token()
+    print("Received token:", token_)
+    print("Token verification:")
+    pprint.pprint(verity_token(acquire_token(AUDIENCE_URL), AUDIENCE_URL))

compute/metadata/vm_identity_test.py

@@ -0,0 +1,40 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+import pytest
+import requests
+
+import vm_identity
+
+AUDIENCE = 'http://www.testing.com'
+
+
+def test_vm_identity():
+    try:
+        # Check if we're running in a GCP VM:
+        r = requests.get('http://metadata.google.internal/computeMetadata/v1/project/project-id',
+                         headers={'Metadata-Flavor': 'Google'})
+        project_id = r.text
+    except requests.exceptions.ConnectionError:
+        # Guess we're not running in a GCP VM, we need to skip this test
+        pytest.skip("Test can only be run inside GCE VM.")
+        return
+
+    token = vm_identity.acquire_token(AUDIENCE)
+    assert isinstance(token, str) and token
+    verification = vm_identity.verity_token(token, AUDIENCE)
+    assert isinstance(verification, dict) and verification
+    assert verification['aud'] == AUDIENCE
+    assert verification['email_verified']
+    assert verification['iss'] == 'https://accounts.google.com'
+    assert verification['google']['compute_engine']['project_id'] == project_id