為 Workload Identity 聯盟與 AWS 建立權杖
透過集合功能整理內容
你可以依據偏好儲存及分類內容。
建立 IAM Workload Identity Federation 可驗證的權杖,且不會揭露 AWS 私密存取金鑰。
深入探索
如需包含這個程式碼範例的詳細說明文件,請參閱下列內容:
程式碼範例
除非另有註明,否則本頁面中的內容是採用創用 CC 姓名標示 4.0 授權,程式碼範例則為阿帕契 2.0 授權。詳情請參閱《Google Developers 網站政策》。Java 是 Oracle 和/或其關聯企業的註冊商標。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],[],[[["\u003cp\u003eThis code sample demonstrates how to create a token for IAM Workload Identity Federation that can be verified without using the AWS secret access key.\u003c/p\u003e\n"],["\u003cp\u003eThe token is generated by preparing and signing a GetCallerIdentity request using the boto3 library.\u003c/p\u003e\n"],["\u003cp\u003eThe generated token includes the request URL, method, and headers, which allows the Workload Identity Federation to verify the identity.\u003c/p\u003e\n"],["\u003cp\u003eTo authenticate to IAM, setting up Application Default Credentials is required, particularly within local environments.\u003c/p\u003e\n"],["\u003cp\u003eThe example uses placeholders for the project number, pool ID, and provider ID, which must be replaced with actual values.\u003c/p\u003e\n"]]],[],null,["# Create a token for Workload Identity Federation with AWS\n\nCreates a token that IAM Workload Identity Federation can verify without revealing the AWS secret access key.\n\nExplore further\n---------------\n\n\nFor detailed documentation that includes this code sample, see the following:\n\n- [Configure Workload Identity Federation with AWS or Azure VMs](/iam/docs/workload-identity-federation-with-other-clouds)\n\nCode sample\n-----------\n\n### Python\n\n\nTo learn how to install and use the client library for IAM, see\n[IAM client libraries](/iam/docs/reference/libraries).\n\n\nFor more information, see the\n[IAM Python API\nreference documentation](https://developers.google.com/api-client-library/python/apis/iam/v1).\n\n\nTo authenticate to IAM, set up Application Default Credentials.\nFor more information, see\n\n[Set up authentication for a local development environment](/docs/authentication/set-up-adc-local-dev-environment).\n\n import json\n import urllib\n\n import boto3\n from botocore.auth import SigV4Auth\n from botocore.awsrequest import AWSRequest\n\n\n def create_token_aws(project_number: str, pool_id: str, provider_id: str) -\u003e None:\n # Prepare a GetCallerIdentity request.\n request = AWSRequest(\n method=\"POST\",\n url=\"https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15\",\n headers={\n \"Host\": \"sts.amazonaws.com\",\n \"x-goog-cloud-target-resource\": f\"//iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/providers/{provider_id}\",\n },\n )\n\n # Set the session credentials and Sign the request.\n # get_credentials loads the required credentials as environment variables.\n # Refer:\n # https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html\n SigV4Auth(boto3.Session().get_credentials(), \"sts\", \"us-east-1\").add_auth(request)\n\n # Create token from signed request.\n token = {\"url\": request.url, \"method\": request.method, \"headers\": []}\n for key, value in request.headers.items():\n token[\"headers\"].append({\"key\": key, \"value\": value})\n\n # The token lets workload identity federation verify the identity without revealing the AWS secret access key.\n print(\"Token:\\n%s\" % json.dumps(token, indent=2, sort_keys=True))\n print(\"URL encoded token:\\n%s\" % urllib.parse.quote(json.dumps(token)))\n\n\n def main() -\u003e None:\n # TODO(Developer): Replace the below credentials.\n # project_number: Google Project number (not the project id)\n project_number = \"my-project-number\"\n pool_id = \"my-pool-id\"\n provider_id = \"my-provider-id\"\n\n create_token_aws(project_number, pool_id, provider_id)\n\n\n if __name__ == \"__main__\":\n main()\n\nWhat's next\n-----------\n\n\nTo search and filter code samples for other Google Cloud products, see the\n[Google Cloud sample browser](/docs/samples?product=iam)."]]
