automatic import of python-scalesec-gcp-workload-identity

3 files changed, 703 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
index e69de29..d57c6e6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/scalesec-gcp-workload-identity-1.0.7.tar.gz
diff --git a/python-scalesec-gcp-workload-identity.spec b/python-scalesec-gcp-workload-identity.spec
new file mode 100644
index 0000000..ce06f20
--- /dev/null
+++ b/python-scalesec-gcp-workload-identity.spec
@@ -0,0 +1,701 @@
+%global _empty_manifest_terminate_build 0
+Name:		python-scalesec-gcp-workload-identity
+Version:	1.0.7
+Release:	1
+Summary:	This package enables AWS->GCP federation with two lines of code
+License:	Apache License 2.0
+URL:		https://github.com/ScaleSec/gcp-workload-identity-federation
+Source0:	https://mirrors.nju.edu.cn/pypi/web/packages/4c/32/fbde3cf339287d5fa418478841d3eec0688decf1c050d0dd3d7c9672f001/scalesec-gcp-workload-identity-1.0.7.tar.gz
+BuildArch:	noarch
+
+Requires:	python3-boto3
+Requires:	python3-requests
+
+%description
+# Scalesec GCP Workload Identity Federation
+
+[![.github/workflows/python-linter.yml](https://github.com/ScaleSec/gcp-workload-identity-federation/actions/workflows/python-linter.yml/badge.svg)](https://github.com/ScaleSec/gcp-workload-identity-federation/actions/workflows/python-linter.yml) [![CodeQL](https://github.com/ScaleSec/gcp-workload-identity-federation/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/ScaleSec/gcp-workload-identity-federation/actions/workflows/codeql-analysis.yml)
+
+This package provides a python module to federate access from AWS to GCP using Workload Identity. View our [blog](https://scalesec.com/blog/access-gcp-from-aws-using-workload-identity-federation/) for additional details.
+
+## Prerequisites
+* A GCP service account (environment variable "GCP_SERVICE_ACCOUNT_EMAIL")
+* An AWS IAM role (environment variable "AWS_ROLE_NAME")
+* AWS credentials (environment variable "AWS_PROFILE")
+* python3.x
+
+## Quick start
+
+```bash
+# Create venv and install package
+make setup
+source .venv/bin/activate
+pip install scalesec-gcp-workload-identity
+```
+
+```bash
+# Rename example .env
+mv .env.example .env
+```
+
+```bash
+# Enter your own environment variables
+cat <<EOF >.env
+# GCP
+export GCP_PROJECT_NUMBER=
+export GCP_PROJECT_ID=
+
+# gcp workload identity pool id
+export GCP_WORKLOAD_ID=
+export GCP_WORKLOAD_PROVIDER=
+export GCP_SERVICE_ACCOUNT_EMAIL=
+
+# aws
+export AWS_REGION=
+export AWS_ACCOUNT_ID=
+export AWS_ROLE_NAME=
+
+# Non-required vars
+export TOKEN_LIFETIME=
+export TOKEN_SCOPES=
+EOF
+```
+
+```bash
+# Source the environment variables so they are exposed
+source .env
+```
+
+```bash
+# set up GCP credentials
+gcloud auth login
+
+# Configure the default project
+gcloud config set project $GCP_PROJECT_ID
+
+# Enable the STS service in the project
+gcloud services enable sts.googleapis.com
+
+# Enable the IAM credentials service
+gcloud services enable iamcredentials.googleapis.com
+
+# The following commands use the .env values
+
+# Create the GCP Workload Identity Pool
+gcloud beta iam workload-identity-pools create "$GCP_WORKLOAD_ID" \
+  --location="global" \
+  --description="$GCP_WORKLOAD_ID" \
+  --display-name="$GCP_WORKLOAD_ID"
+
+# Create the GCP Workload Identity AWS Provider
+gcloud beta iam workload-identity-pools providers create-aws "$GCP_WORKLOAD_PROVIDER" \
+  --location="global" \
+  --workload-identity-pool="$GCP_WORKLOAD_ID" \
+  --account-id="$AWS_ACCOUNT_ID"
+
+# Add the appropriate IAM binding to a pre-existing service account
+gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
+  --role roles/iam.workloadIdentityUser \
+  --member "principalSet://iam.googleapis.com/projects/$GCP_PROJECT_NUMBER/locations/global/workloadIdentityPools/$GCP_WORKLOAD_ID/attribute.aws_role/arn:aws:sts::${AWS_ACCOUNT_ID}:assumed-role/$AWS_ROLE_NAME"
+```
+
+### Using the module
+
+Set your AWS credentials
+
+```bash
+export AWS_PROFILE=xyz
+```
+
+Getting a Service Account token is now simple:
+
+```python
+from scalesec_gcp_workload_identity.main import TokenService
+from os import getenv
+
+# The arguments to TokenService can be ingested
+# from the environment if they were exported above.
+# Otherwise, pass in your own arguments
+
+token_service = TokenService(
+  gcp_project_number=getenv('GCP_PROJECT_NUMBER'),
+  gcp_workload_id=getenv('GCP_WORKLOAD_ID'),
+  gcp_workload_provider=getenv('GCP_WORKLOAD_PROVIDER'),
+  gcp_service_account_email=getenv('GCP_SERVICE_ACCOUNT_EMAIL'),
+  aws_account_id=getenv('AWS_ACCOUNT_ID'),
+  aws_role_name=getenv('AWS_ROLE_NAME'),
+  aws_region=getenv('AWS_REGION'),
+  gcp_token_lifetime=getenv('TOKEN_LIFETIME'), # Not required
+  gcp_token_scopes=getenv('TOKEN_SCOPES') # Not required
+)
+
+sa_token, expiry_date = token_service.get_token()
+```
+
+### Token expiration
+
+The default expiration for a service account token is 1h in GCP. This behavior can be changed by overriding the environment variable `TOKEN_LIFETIME` in the `.env` file. By default, GCP does not allow tokens to have an expiry over 1 hour and an organization policy __must__ be updated for this change to take affect. The organization policy is called `iam.allowServiceAccountCredentialLifetimeExtension` and it accepts a list of service accounts that are allowed to have an > 1 hr token.
+
+```bash
+# To configure the organization policy
+gcloud org-policies set-policy policy.yaml
+
+# An example policy.json:
+name: projects/1234567890/policies/iam.allowServiceAccountCredentialLifetimeExtension
+spec:
+  etag: BwXBMNmIrQg=
+  rules:
+  - values:
+      allowedValues:
+      - your-sa@yourproject.iam.gserviceaccount.com
+```
+
+#### Token scopes
+
+The default scope for the service account token is `https://www.googleapis.com/auth/cloud-platform`. This behaviour can be overridden to enable a different set of scopes by using the environment variable `TOKEN_SCOPES` in the `.env` file with a comma-separated list of GCP scopes.
+
+## Testing
+
+```shell
+# make a venv
+make setup
+```
+
+Edit `.env` with your values
+
+```shell
+# install deps
+make dev
+
+# run pytest
+make test
+```
+
+## Local Linting
+
+To test that your code will pass the lint and code quality GitHub action:
+
+* Clone the repository locally
+* Make your updates
+* From the root of the repository, execute:
+```bash
+pylint --rcfile .github/workflows/configs/.pylintrc scalesec_gcp_workload_identity tests examples
+```
+
+## Examples
+
+We have provided [examples](./examples) on how to use the service account access token generated by this module. Access tokens are mainly used via an API call or using `curl` on the CLI.
+
+## Restricting Identity Pool Providers
+
+By default, any GCP user with the `roles/iam.workloadIdentityPoolAdmin` or `roles/owner` role is able to create a workload identity pool in your GCP organization. There are two organization policies available to help you lockdown which outside providers can have pools in your organization.
+
+* `constraints/iam.workloadIdentityPoolProviders ` - Accepts a list of URIs such as `https://sts.amazonaws.com` or `https://sts.windows.net/$AZURE_TENANT_ID`. For example:
+
+```bash
+# Allows all AWS accounts but no Azure or OIDC
+gcloud beta resource-manager org-policies allow constraints/iam.workloadIdentityPoolProviders \
+     https://sts.amazonaws.com --organization=$ORG_ID
+
+# Allows only a specific Azure tenant but no AWS or OIDC
+gcloud beta resource-manager org-policies allow constraints/iam.workloadIdentityPoolProviders \
+     https://sts.windows.net/$AZURE_TENANT_ID --organization=$ORG_ID
+```
+
+* `constraints/iam.workloadIdentityPoolAwsAccounts` - Specifically focused on AWS, this constraint accepts a list of AWS account IDs. If this orgnanization policy is used, `constraints/iam.workloadIdentityPoolProviders` must either allow `https://sts.amazonaws.com` or be set to default (allow all). For example:
+
+```bash
+# Only allows a specific AWS account
+gcloud beta resource-manager org-policies allow constraints/iam.workloadIdentityPoolAwsAccounts \
+    $AWS_ACCOUNT_ID --organization=$ORG_ID
+```
+
+## Upload to PyPi
+
+Set your token/credentials in ~/.pypirc
+
+`make dist VERSION=1.x.x`
+
+## Feedback
+
+Feedback is welcome and encouraged via a GitHub issue. Please open an issue for any bugs, feature requests, or general improvements you would like to see. Thank you in advance!
+
+
+
+
+%package -n python3-scalesec-gcp-workload-identity
+Summary:	This package enables AWS->GCP federation with two lines of code
+Provides:	python-scalesec-gcp-workload-identity
+BuildRequires:	python3-devel
+BuildRequires:	python3-setuptools
+BuildRequires:	python3-pip
+%description -n python3-scalesec-gcp-workload-identity
+# Scalesec GCP Workload Identity Federation
+
+[![.github/workflows/python-linter.yml](https://github.com/ScaleSec/gcp-workload-identity-federation/actions/workflows/python-linter.yml/badge.svg)](https://github.com/ScaleSec/gcp-workload-identity-federation/actions/workflows/python-linter.yml) [![CodeQL](https://github.com/ScaleSec/gcp-workload-identity-federation/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/ScaleSec/gcp-workload-identity-federation/actions/workflows/codeql-analysis.yml)
+
+This package provides a python module to federate access from AWS to GCP using Workload Identity. View our [blog](https://scalesec.com/blog/access-gcp-from-aws-using-workload-identity-federation/) for additional details.
+
+## Prerequisites
+* A GCP service account (environment variable "GCP_SERVICE_ACCOUNT_EMAIL")
+* An AWS IAM role (environment variable "AWS_ROLE_NAME")
+* AWS credentials (environment variable "AWS_PROFILE")
+* python3.x
+
+## Quick start
+
+```bash
+# Create venv and install package
+make setup
+source .venv/bin/activate
+pip install scalesec-gcp-workload-identity
+```
+
+```bash
+# Rename example .env
+mv .env.example .env
+```
+
+```bash
+# Enter your own environment variables
+cat <<EOF >.env
+# GCP
+export GCP_PROJECT_NUMBER=
+export GCP_PROJECT_ID=
+
+# gcp workload identity pool id
+export GCP_WORKLOAD_ID=
+export GCP_WORKLOAD_PROVIDER=
+export GCP_SERVICE_ACCOUNT_EMAIL=
+
+# aws
+export AWS_REGION=
+export AWS_ACCOUNT_ID=
+export AWS_ROLE_NAME=
+
+# Non-required vars
+export TOKEN_LIFETIME=
+export TOKEN_SCOPES=
+EOF
+```
+
+```bash
+# Source the environment variables so they are exposed
+source .env
+```
+
+```bash
+# set up GCP credentials
+gcloud auth login
+
+# Configure the default project
+gcloud config set project $GCP_PROJECT_ID
+
+# Enable the STS service in the project
+gcloud services enable sts.googleapis.com
+
+# Enable the IAM credentials service
+gcloud services enable iamcredentials.googleapis.com
+
+# The following commands use the .env values
+
+# Create the GCP Workload Identity Pool
+gcloud beta iam workload-identity-pools create "$GCP_WORKLOAD_ID" \
+  --location="global" \
+  --description="$GCP_WORKLOAD_ID" \
+  --display-name="$GCP_WORKLOAD_ID"
+
+# Create the GCP Workload Identity AWS Provider
+gcloud beta iam workload-identity-pools providers create-aws "$GCP_WORKLOAD_PROVIDER" \
+  --location="global" \
+  --workload-identity-pool="$GCP_WORKLOAD_ID" \
+  --account-id="$AWS_ACCOUNT_ID"
+
+# Add the appropriate IAM binding to a pre-existing service account
+gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
+  --role roles/iam.workloadIdentityUser \
+  --member "principalSet://iam.googleapis.com/projects/$GCP_PROJECT_NUMBER/locations/global/workloadIdentityPools/$GCP_WORKLOAD_ID/attribute.aws_role/arn:aws:sts::${AWS_ACCOUNT_ID}:assumed-role/$AWS_ROLE_NAME"
+```
+
+### Using the module
+
+Set your AWS credentials
+
+```bash
+export AWS_PROFILE=xyz
+```
+
+Getting a Service Account token is now simple:
+
+```python
+from scalesec_gcp_workload_identity.main import TokenService
+from os import getenv
+
+# The arguments to TokenService can be ingested
+# from the environment if they were exported above.
+# Otherwise, pass in your own arguments
+
+token_service = TokenService(
+  gcp_project_number=getenv('GCP_PROJECT_NUMBER'),
+  gcp_workload_id=getenv('GCP_WORKLOAD_ID'),
+  gcp_workload_provider=getenv('GCP_WORKLOAD_PROVIDER'),
+  gcp_service_account_email=getenv('GCP_SERVICE_ACCOUNT_EMAIL'),
+  aws_account_id=getenv('AWS_ACCOUNT_ID'),
+  aws_role_name=getenv('AWS_ROLE_NAME'),
+  aws_region=getenv('AWS_REGION'),
+  gcp_token_lifetime=getenv('TOKEN_LIFETIME'), # Not required
+  gcp_token_scopes=getenv('TOKEN_SCOPES') # Not required
+)
+
+sa_token, expiry_date = token_service.get_token()
+```
+
+### Token expiration
+
+The default expiration for a service account token is 1h in GCP. This behavior can be changed by overriding the environment variable `TOKEN_LIFETIME` in the `.env` file. By default, GCP does not allow tokens to have an expiry over 1 hour and an organization policy __must__ be updated for this change to take affect. The organization policy is called `iam.allowServiceAccountCredentialLifetimeExtension` and it accepts a list of service accounts that are allowed to have an > 1 hr token.
+
+```bash
+# To configure the organization policy
+gcloud org-policies set-policy policy.yaml
+
+# An example policy.json:
+name: projects/1234567890/policies/iam.allowServiceAccountCredentialLifetimeExtension
+spec:
+  etag: BwXBMNmIrQg=
+  rules:
+  - values:
+      allowedValues:
+      - your-sa@yourproject.iam.gserviceaccount.com
+```
+
+#### Token scopes
+
+The default scope for the service account token is `https://www.googleapis.com/auth/cloud-platform`. This behaviour can be overridden to enable a different set of scopes by using the environment variable `TOKEN_SCOPES` in the `.env` file with a comma-separated list of GCP scopes.
+
+## Testing
+
+```shell
+# make a venv
+make setup
+```
+
+Edit `.env` with your values
+
+```shell
+# install deps
+make dev
+
+# run pytest
+make test
+```
+
+## Local Linting
+
+To test that your code will pass the lint and code quality GitHub action:
+
+* Clone the repository locally
+* Make your updates
+* From the root of the repository, execute:
+```bash
+pylint --rcfile .github/workflows/configs/.pylintrc scalesec_gcp_workload_identity tests examples
+```
+
+## Examples
+
+We have provided [examples](./examples) on how to use the service account access token generated by this module. Access tokens are mainly used via an API call or using `curl` on the CLI.
+
+## Restricting Identity Pool Providers
+
+By default, any GCP user with the `roles/iam.workloadIdentityPoolAdmin` or `roles/owner` role is able to create a workload identity pool in your GCP organization. There are two organization policies available to help you lockdown which outside providers can have pools in your organization.
+
+* `constraints/iam.workloadIdentityPoolProviders ` - Accepts a list of URIs such as `https://sts.amazonaws.com` or `https://sts.windows.net/$AZURE_TENANT_ID`. For example:
+
+```bash
+# Allows all AWS accounts but no Azure or OIDC
+gcloud beta resource-manager org-policies allow constraints/iam.workloadIdentityPoolProviders \
+     https://sts.amazonaws.com --organization=$ORG_ID
+
+# Allows only a specific Azure tenant but no AWS or OIDC
+gcloud beta resource-manager org-policies allow constraints/iam.workloadIdentityPoolProviders \
+     https://sts.windows.net/$AZURE_TENANT_ID --organization=$ORG_ID
+```
+
+* `constraints/iam.workloadIdentityPoolAwsAccounts` - Specifically focused on AWS, this constraint accepts a list of AWS account IDs. If this orgnanization policy is used, `constraints/iam.workloadIdentityPoolProviders` must either allow `https://sts.amazonaws.com` or be set to default (allow all). For example:
+
+```bash
+# Only allows a specific AWS account
+gcloud beta resource-manager org-policies allow constraints/iam.workloadIdentityPoolAwsAccounts \
+    $AWS_ACCOUNT_ID --organization=$ORG_ID
+```
+
+## Upload to PyPi
+
+Set your token/credentials in ~/.pypirc
+
+`make dist VERSION=1.x.x`
+
+## Feedback
+
+Feedback is welcome and encouraged via a GitHub issue. Please open an issue for any bugs, feature requests, or general improvements you would like to see. Thank you in advance!
+
+
+
+
+%package help
+Summary:	Development documents and examples for scalesec-gcp-workload-identity
+Provides:	python3-scalesec-gcp-workload-identity-doc
+%description help
+# Scalesec GCP Workload Identity Federation
+
+[![.github/workflows/python-linter.yml](https://github.com/ScaleSec/gcp-workload-identity-federation/actions/workflows/python-linter.yml/badge.svg)](https://github.com/ScaleSec/gcp-workload-identity-federation/actions/workflows/python-linter.yml) [![CodeQL](https://github.com/ScaleSec/gcp-workload-identity-federation/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/ScaleSec/gcp-workload-identity-federation/actions/workflows/codeql-analysis.yml)
+
+This package provides a python module to federate access from AWS to GCP using Workload Identity. View our [blog](https://scalesec.com/blog/access-gcp-from-aws-using-workload-identity-federation/) for additional details.
+
+## Prerequisites
+* A GCP service account (environment variable "GCP_SERVICE_ACCOUNT_EMAIL")
+* An AWS IAM role (environment variable "AWS_ROLE_NAME")
+* AWS credentials (environment variable "AWS_PROFILE")
+* python3.x
+
+## Quick start
+
+```bash
+# Create venv and install package
+make setup
+source .venv/bin/activate
+pip install scalesec-gcp-workload-identity
+```
+
+```bash
+# Rename example .env
+mv .env.example .env
+```
+
+```bash
+# Enter your own environment variables
+cat <<EOF >.env
+# GCP
+export GCP_PROJECT_NUMBER=
+export GCP_PROJECT_ID=
+
+# gcp workload identity pool id
+export GCP_WORKLOAD_ID=
+export GCP_WORKLOAD_PROVIDER=
+export GCP_SERVICE_ACCOUNT_EMAIL=
+
+# aws
+export AWS_REGION=
+export AWS_ACCOUNT_ID=
+export AWS_ROLE_NAME=
+
+# Non-required vars
+export TOKEN_LIFETIME=
+export TOKEN_SCOPES=
+EOF
+```
+
+```bash
+# Source the environment variables so they are exposed
+source .env
+```
+
+```bash
+# set up GCP credentials
+gcloud auth login
+
+# Configure the default project
+gcloud config set project $GCP_PROJECT_ID
+
+# Enable the STS service in the project
+gcloud services enable sts.googleapis.com
+
+# Enable the IAM credentials service
+gcloud services enable iamcredentials.googleapis.com
+
+# The following commands use the .env values
+
+# Create the GCP Workload Identity Pool
+gcloud beta iam workload-identity-pools create "$GCP_WORKLOAD_ID" \
+  --location="global" \
+  --description="$GCP_WORKLOAD_ID" \
+  --display-name="$GCP_WORKLOAD_ID"
+
+# Create the GCP Workload Identity AWS Provider
+gcloud beta iam workload-identity-pools providers create-aws "$GCP_WORKLOAD_PROVIDER" \
+  --location="global" \
+  --workload-identity-pool="$GCP_WORKLOAD_ID" \
+  --account-id="$AWS_ACCOUNT_ID"
+
+# Add the appropriate IAM binding to a pre-existing service account
+gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
+  --role roles/iam.workloadIdentityUser \
+  --member "principalSet://iam.googleapis.com/projects/$GCP_PROJECT_NUMBER/locations/global/workloadIdentityPools/$GCP_WORKLOAD_ID/attribute.aws_role/arn:aws:sts::${AWS_ACCOUNT_ID}:assumed-role/$AWS_ROLE_NAME"
+```
+
+### Using the module
+
+Set your AWS credentials
+
+```bash
+export AWS_PROFILE=xyz
+```
+
+Getting a Service Account token is now simple:
+
+```python
+from scalesec_gcp_workload_identity.main import TokenService
+from os import getenv
+
+# The arguments to TokenService can be ingested
+# from the environment if they were exported above.
+# Otherwise, pass in your own arguments
+
+token_service = TokenService(
+  gcp_project_number=getenv('GCP_PROJECT_NUMBER'),
+  gcp_workload_id=getenv('GCP_WORKLOAD_ID'),
+  gcp_workload_provider=getenv('GCP_WORKLOAD_PROVIDER'),
+  gcp_service_account_email=getenv('GCP_SERVICE_ACCOUNT_EMAIL'),
+  aws_account_id=getenv('AWS_ACCOUNT_ID'),
+  aws_role_name=getenv('AWS_ROLE_NAME'),
+  aws_region=getenv('AWS_REGION'),
+  gcp_token_lifetime=getenv('TOKEN_LIFETIME'), # Not required
+  gcp_token_scopes=getenv('TOKEN_SCOPES') # Not required
+)
+
+sa_token, expiry_date = token_service.get_token()
+```
+
+### Token expiration
+
+The default expiration for a service account token is 1h in GCP. This behavior can be changed by overriding the environment variable `TOKEN_LIFETIME` in the `.env` file. By default, GCP does not allow tokens to have an expiry over 1 hour and an organization policy __must__ be updated for this change to take affect. The organization policy is called `iam.allowServiceAccountCredentialLifetimeExtension` and it accepts a list of service accounts that are allowed to have an > 1 hr token.
+
+```bash
+# To configure the organization policy
+gcloud org-policies set-policy policy.yaml
+
+# An example policy.json:
+name: projects/1234567890/policies/iam.allowServiceAccountCredentialLifetimeExtension
+spec:
+  etag: BwXBMNmIrQg=
+  rules:
+  - values:
+      allowedValues:
+      - your-sa@yourproject.iam.gserviceaccount.com
+```
+
+#### Token scopes
+
+The default scope for the service account token is `https://www.googleapis.com/auth/cloud-platform`. This behaviour can be overridden to enable a different set of scopes by using the environment variable `TOKEN_SCOPES` in the `.env` file with a comma-separated list of GCP scopes.
+
+## Testing
+
+```shell
+# make a venv
+make setup
+```
+
+Edit `.env` with your values
+
+```shell
+# install deps
+make dev
+
+# run pytest
+make test
+```
+
+## Local Linting
+
+To test that your code will pass the lint and code quality GitHub action:
+
+* Clone the repository locally
+* Make your updates
+* From the root of the repository, execute:
+```bash
+pylint --rcfile .github/workflows/configs/.pylintrc scalesec_gcp_workload_identity tests examples
+```
+
+## Examples
+
+We have provided [examples](./examples) on how to use the service account access token generated by this module. Access tokens are mainly used via an API call or using `curl` on the CLI.
+
+## Restricting Identity Pool Providers
+
+By default, any GCP user with the `roles/iam.workloadIdentityPoolAdmin` or `roles/owner` role is able to create a workload identity pool in your GCP organization. There are two organization policies available to help you lockdown which outside providers can have pools in your organization.
+
+* `constraints/iam.workloadIdentityPoolProviders ` - Accepts a list of URIs such as `https://sts.amazonaws.com` or `https://sts.windows.net/$AZURE_TENANT_ID`. For example:
+
+```bash
+# Allows all AWS accounts but no Azure or OIDC
+gcloud beta resource-manager org-policies allow constraints/iam.workloadIdentityPoolProviders \
+     https://sts.amazonaws.com --organization=$ORG_ID
+
+# Allows only a specific Azure tenant but no AWS or OIDC
+gcloud beta resource-manager org-policies allow constraints/iam.workloadIdentityPoolProviders \
+     https://sts.windows.net/$AZURE_TENANT_ID --organization=$ORG_ID
+```
+
+* `constraints/iam.workloadIdentityPoolAwsAccounts` - Specifically focused on AWS, this constraint accepts a list of AWS account IDs. If this orgnanization policy is used, `constraints/iam.workloadIdentityPoolProviders` must either allow `https://sts.amazonaws.com` or be set to default (allow all). For example:
+
+```bash
+# Only allows a specific AWS account
+gcloud beta resource-manager org-policies allow constraints/iam.workloadIdentityPoolAwsAccounts \
+    $AWS_ACCOUNT_ID --organization=$ORG_ID
+```
+
+## Upload to PyPi
+
+Set your token/credentials in ~/.pypirc
+
+`make dist VERSION=1.x.x`
+
+## Feedback
+
+Feedback is welcome and encouraged via a GitHub issue. Please open an issue for any bugs, feature requests, or general improvements you would like to see. Thank you in advance!
+
+
+
+
+%prep
+%autosetup -n scalesec-gcp-workload-identity-1.0.7
+
+%build
+%py3_build
+
+%install
+%py3_install
+install -d -m755 %{buildroot}/%{_pkgdocdir}
+if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
+if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
+if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
+if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
+pushd %{buildroot}
+if [ -d usr/lib ]; then
+	find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/lib64 ]; then
+	find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/bin ]; then
+	find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/sbin ]; then
+	find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+touch doclist.lst
+if [ -d usr/share/man ]; then
+	find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst
+fi
+popd
+mv %{buildroot}/filelist.lst .
+mv %{buildroot}/doclist.lst .
+
+%files -n python3-scalesec-gcp-workload-identity -f filelist.lst
+%dir %{python3_sitelib}/*
+
+%files help -f doclist.lst
+%{_docdir}/*
+
+%changelog
+* Mon Apr 10 2023 Python_Bot <Python_Bot@openeuler.org> - 1.0.7-1
+- Package Spec generated
diff --git a/sources b/sources
new file mode 100644
index 0000000..3fa6300
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+ea1d90363792a50120498f1845906913  scalesec-gcp-workload-identity-1.0.7.tar.gz