0

I am trying to automate a site that is protected behind an Identity-Aware Proxy (IAP) on Google Cloud Platform GCP. I currently have access to a service account that I am able to make API requests with an OpenID Token.

When logging into the application normally (with username and password), I see the following cookies:

GCP_IAAP_AUTH_TOKEN_<Some GUID here>

GCP_IAP_UID

How can I use the service account credentials (available in a json file) to recreate these cookie values so that I can inject them into my selenium webdriver?

Muttonchop
  • 353
  • 4
  • 22
  • 2
    https://stackoverflow.com/a/44012079/8016720 – John Hanley Mar 26 '20 at 20:51
  • I am not sure how that answers my particular question. – Muttonchop Mar 26 '20 at 21:03
  • 3
    The answer is you cannot. Service account identity tokens are valid for 3,600 seconds. After that, they expire. The OIDC Identity Token that IAP requires can be refreshed, but that requires a token exchange with Google. I included that answer link so that you would know that you cannot set those headers. IAP will remove them. – John Hanley Mar 26 '20 at 21:10
  • Bummer, that is what I was thinking I was reading. Are you aware of an alternate way forward to do UI automation on a resource behind an IAP? – Muttonchop Mar 26 '20 at 21:26
  • 2
    I wrote an article on my website how to do service account impersonation including saving the credentials for reuse. You can automate web pages with PowerShell, I have not tried with selenium. This article might help you understand how to get credentials and then how to save the. I have other articles on similar techniques. https://www.jhanley.com/powershell-impersonate-google-service-account/ – John Hanley Mar 26 '20 at 22:03

1 Answers1

0

I ended up solving this using BrowserMob-Proxy. From their README:

BrowserMob Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file.

For Python3, I did the following:

Pre Requiements:

  • BrowserMob-Proxy installed and running

    For Mac I used HomeBrew:

    ?> brew install browsermob-proxy
?> brew services start browsermob-proxy

  • Set up local python3 environment with pipenv (or your choice of virtual env manager)

    ?> brew install pipenv
?> pipenv --python 3.8
?> pipenv install browsermobproxy
?> pipenv install selenium
?> pipenv install ....

  • Ability to authenticate with data source for your webpage. Since I was utilizing a GCP service I followed the flow published in the IAP documentation for getting the authentication token found here: Authenticating from a service account

Simplified code for adding the proxy:

from selenium.webdriver import ChromeOptions   
import browsermobproxy

# 1. Do whatever you need to do to get your token
token = get_auth_token()

# 2. Create browsermob client and add auth to headers
client = browsermobproxy.Client("localhost:9090") # port depends on your own setup
client.headers({"Authorization": "Bearer {}".format(token)})

# 3. Create browser (can vary wildly based on your own needs)
chrome_options = ChromeOptions()
chrome_options.add_argument("--ignore-certificate-errors") # I needed this, you may not
caps = chrome_options.to_capabilities()
client.add_to_capabilities(caps) # This is important!
# create driver instance with your capabilities
Muttonchop
  • 353
  • 4
  • 22