From 569c4ccb1feb91a6e1b5554a4c39199a4b03499d Mon Sep 17 00:00:00 2001 From: Benjamin Maynard Date: Sat, 11 Oct 2025 14:45:43 +0100 Subject: [PATCH] feat: Python auth local server - Add new `GOOGLE_MANAGED_KAFKA_AUTH_PRINCIPAL` environment variable that allows users to provide the auth principal for credential types where it cannot be programmatically fetched --- .../kafka_gcp_credentials_server.py | 14 +++++++++++--- kafka-auth-local-server/requirements.txt | 2 +- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/kafka-auth-local-server/kafka_gcp_credentials_server.py b/kafka-auth-local-server/kafka_gcp_credentials_server.py index bf79477..0ddf5c7 100644 --- a/kafka-auth-local-server/kafka_gcp_credentials_server.py +++ b/kafka-auth-local-server/kafka_gcp_credentials_server.py @@ -19,9 +19,8 @@ import http.server import json import google.auth -import google.auth.crypt -import google.auth.jwt import google.auth.transport.urllib3 +import os import urllib3 @@ -41,12 +40,21 @@ def valid_credentials(): def get_jwt(creds): + subject = getattr(creds, 'service_account_email', None) + if not subject: + env_principal = os.environ.get('GOOGLE_MANAGED_KAFKA_AUTH_PRINCIPAL') + if not env_principal: + raise ValueError( + 'Unable to determine principal for credentials. Please set the ' + 'GOOGLE_MANAGED_KAFKA_AUTH_PRINCIPAL environment variable' + ) + subject = env_principal return json.dumps( dict( exp=creds.expiry.replace(tzinfo=datetime.timezone.utc).timestamp(), iss='Google', iat=datetime.datetime.now(datetime.timezone.utc).timestamp(), - sub=creds.service_account_email, + sub=subject, ) ) diff --git a/kafka-auth-local-server/requirements.txt b/kafka-auth-local-server/requirements.txt index 79ef5bc..6ba51ba 100644 --- a/kafka-auth-local-server/requirements.txt +++ b/kafka-auth-local-server/requirements.txt @@ -1 +1 @@ -google-auth[urllib3]>=2.40.3 +google-auth[requests,urllib3]>=2.40.3