oci 2.110.2__py3-none-any.whl → 2.112.0__py3-none-any.whl

oci/auth/signers/nested_resource_principals_signer.py

@@ -0,0 +1,200 @@
+# coding: utf-8
+# Copyright (c) 2016, 2023, Oracle and/or its affiliates.  All rights reserved.
+# This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
+
+import json
+import threading
+
+from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
+
+import oci
+import oci.signer
+
+from .security_token_signer import SecurityTokenSigner, SECURITY_TOKEN_FORMAT_STRING
+from .. import auth_utils
+from ..security_token_container import SecurityTokenContainer
+
+OPTIONAL_NESTED_PARENT_HEADER = "opc-parent-rpt-url"
+
+
+class NestedResourcePrincipals(SecurityTokenSigner):
+
+    def __init__(self, resource_principal_rpt_url=None, resource_principal_session_token_endpoint=None,
+                 sub_resource_rp_signer=None, retry_strategy=None, log_requests=None, generic_headers=None,
+                 current_parent_depth=0, **kwargs):
+
+        if not sub_resource_rp_signer:
+            raise ValueError("Could not initiate sub-resource principals signers please check your environment!")
+        else:
+            self.sub_resource_rp_signer = sub_resource_rp_signer
+
+        # set region from sub_resource_rp_signer
+        if hasattr(sub_resource_rp_signer, 'region'):
+            self.region = sub_resource_rp_signer.region
+
+        if resource_principal_session_token_endpoint:
+            self.resource_principal_session_token_endpoint = resource_principal_session_token_endpoint
+        else:
+            raise ValueError("resource_principal_session_token_endpoint must be provided")
+
+        if resource_principal_rpt_url is None:
+            raise ValueError("resource_principal_rpt_url should be present!")
+
+        self.resource_principal_token_endpoint = resource_principal_rpt_url
+        self.resource_principal_token_path = ""
+        self.current_parent_depth = current_parent_depth
+
+        self._reset_signers_lock = threading.Lock()
+
+        if retry_strategy:
+            self.retry_strategy = retry_strategy
+        else:
+            self.retry_strategy = oci.retry.DEFAULT_RETRY_STRATEGY
+
+        # Holders for the tokens needed.
+        self.rpt = None
+        self.spst = None
+
+        # Set up base_client for calls to Service to get Resource Principal Token and Service Principal Session Token
+        # The config is not needed but request logging could be enabled.
+        config = {}
+        if log_requests:
+            config["log_requests"] = log_requests
+
+        self.base_client = oci.BaseClient("",  # No service
+                                          config,
+                                          sub_resource_rp_signer,  # Signer composed for sub-resource
+                                          {},  # No type mapping
+                                          region_client=False,
+                                          service_endpoint=self.resource_principal_token_endpoint)
+
+        # Set Key Supplier
+        self.session_key_supplier = self.sub_resource_rp_signer.session_key_supplier
+
+        # Get the Resource Principal Session Token and use it to set up the signer
+        self.rpst = self.get_security_token()
+
+        if generic_headers:
+            super(NestedResourcePrincipals, self).__init__(self.security_token.security_token,
+                                                           self.session_key_supplier.get_key_pair()['private'],
+                                                           generic_headers=generic_headers)
+        else:
+            super(NestedResourcePrincipals, self).__init__(self.security_token.security_token,
+                                                           self.session_key_supplier.get_key_pair()['private'])
+
+    def get_security_token(self):
+        """
+        Returns the security token. If it is expired, refresh the token.
+        """
+        if hasattr(self, 'security_token'):
+            if self.security_token.valid_with_jitter():
+                return self.security_token.security_token
+
+        return self._refresh_security_token_inner()
+
+    def refresh_security_token(self):
+        """
+        Refresh the security token
+        """
+        return self._refresh_security_token_inner()
+
+    def _refresh_security_token_inner(self):
+        self._reset_signers_lock.acquire()
+        try:
+            self.sub_resource_rp_signer.refresh_security_token()
+
+            # Get RPT blob, Service Principal Session Token from service, Steps A.1 and B.1
+            self.rpt, self.spst = self._get_resource_principal_token_and_service_principal_session_token()
+
+            # Get RPST token from identity, steps A.2 and B.2
+            self.security_token = SecurityTokenContainer(self.session_key_supplier,
+                                                         self._get_resource_principal_session_token())
+            self._reset_signers()
+
+            return self.security_token.security_token
+        finally:
+            self._reset_signers_lock.release()
+
+    def _reset_signers(self):
+        self.api_key = SECURITY_TOKEN_FORMAT_STRING.format(self.security_token.security_token)
+        self.private_key = self.session_key_supplier.get_key_pair()['private']
+
+        if hasattr(self, '_basic_signer'):
+            self._basic_signer.reset_signer(self.api_key, self.private_key)
+        if hasattr(self, '_body_signer'):
+            self._body_signer.reset_signer(self.api_key, self.private_key)
+
+    def _get_resource_principal_token_and_service_principal_session_token(self):
+        """
+        Get the Resource Principal Token and the Service Principal Session Token
+
+        This makes a call to the resource_principal_token_endpoint which is
+        defined by the service.
+        """
+        method = "get"
+        self.base_client.endpoint = self.resource_principal_token_endpoint
+
+        response = self.make_call(method, self.resource_principal_token_path)
+        if response.headers and OPTIONAL_NESTED_PARENT_HEADER in response.headers:
+            self.nested_parent_rpt_url = response.headers.get(OPTIONAL_NESTED_PARENT_HEADER)
+        else:
+            # setting this as None to mark missing header for terminal parent.
+            self.nested_parent_rpt_url = None
+
+        parsed_response = json.loads(response.data.decode('UTF-8'))
+        return parsed_response['resourcePrincipalToken'], parsed_response['servicePrincipalSessionToken']
+
+    def _get_resource_principal_session_token(self):
+        """
+        Get the Resource Principal Session Token
+        """
+        method = "post"
+        resource_path = "/v1/resourcePrincipalSessionToken"
+
+        self.base_client.endpoint = self.resource_principal_session_token_endpoint
+
+        public_key = self.session_key_supplier.get_key_pair()['public']
+        sanitized_public_key = auth_utils.sanitize_certificate_string(
+            public_key.public_bytes(Encoding.PEM, PublicFormat.SubjectPublicKeyInfo))
+
+        request_payload = {
+            'resourcePrincipalToken': self.rpt,
+            'servicePrincipalSessionToken': self.spst,
+            'sessionPublicKey': sanitized_public_key
+        }
+
+        # The base client will convert the payload to JSON, but won't update the content length, so we need to
+        # it here.
+        json_request_payload = json.dumps(request_payload)
+        header_params = {'content-type': 'application/json',
+                         'Content-Length': str(len(json_request_payload))}
+        response = self.make_call(method, resource_path, header_params=header_params, body=request_payload)
+        parsed_response = json.loads(response.data.decode('UTF-8'))
+
+        return parsed_response['token']
+
+    def make_call(self, method, resource_path, path_params=None, header_params=None, body=None):
+        """
+        make_call
+
+        Normally this would be part of the generated client.  In this case the endpoint for the
+        Resource Principal Token is not part of the generated client, so we need the same
+        behavior here.
+        """
+        if self.retry_strategy:
+            return self.retry_strategy.make_retrying_call(
+                self.base_client.call_api,
+                resource_path=resource_path,
+                method=method,
+                path_params=path_params,
+                header_params=header_params,
+                body=body,
+                response_type=oci.base_client.BYTES_RESPONSE_TYPE)
+        else:
+            return self.base_client.call_api(
+                resource_path=resource_path,
+                method=method,
+                path_params=path_params,
+                header_params=header_params,
+                body=body,
+                response_type=oci.base_client.BYTES_RESPONSE_TYPE)

oci/auth/signers/oke_workload_identity_resource_principal_signer.py

@@ -0,0 +1,154 @@
+# coding: utf-8
+# Copyright (c) 2016, 2023, Oracle and/or its affiliates.  All rights reserved.
+# This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
+
+import threading
+import logging
+import pprint
+from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
+
+import base64
+import json
+import oci
+from oci._vendor import requests
+from .. import auth_utils
+from ..certificate_retriever import FileBasedCertificateRetriever
+from ..session_key_supplier import SessionKeySupplier
+from ..security_token_container import SecurityTokenContainer
+from .security_token_signer import SecurityTokenSigner, SECURITY_TOKEN_FORMAT_STRING
+
+
+class OkeWorkloadIdentityResourcePrincipalSigner(SecurityTokenSigner):
+
+    def __init__(self, sa_token_provider, sa_cert_path, service_host, service_port, region=None, **kwargs):
+        self.sa_token_provider = sa_token_provider
+        self.sa_cert_path = sa_cert_path
+        self.service_host = service_host
+        if self.service_host is None:
+            raise ValueError("Kubernetes service host was not provided.")
+        self.service_port = service_port
+        self.region = self._initialize_and_return_region(region)
+        self._reset_signers_lock = threading.Lock()
+
+        self.logger = logging.getLogger("{}.{}".format(__name__, id(self)))
+        self.logger.addHandler(logging.NullHandler())
+        if kwargs.get('log_requests'):
+            self.logger.disabled = False
+            self.logger.setLevel(logging.DEBUG)
+        else:
+            self.logger.disabled = True
+        self.requests_session = requests.Session()
+
+        retry_strategy = kwargs.get('retry_strategy', None)
+        if retry_strategy:
+            self.retry_strategy = retry_strategy
+        else:
+            self.retry_strategy = oci.retry.DEFAULT_RETRY_STRATEGY
+
+        self.proxymux_endpoint = "https://{}:{}/resourcePrincipalSessionTokens".format(self.service_host, self.service_port)
+        self.logger.debug("Proxymux endpoint is set to : {} ".format(self.proxymux_endpoint))
+        cert_retriever_kwargs = {"certificate_file_path": self.sa_cert_path}
+        self.logger.debug("Certificate file path is set to : {} ".format(self.sa_cert_path))
+        self.cert_retriever = FileBasedCertificateRetriever(**cert_retriever_kwargs)
+
+        self.session_key_supplier = SessionKeySupplier()
+        self.rpst = self.get_security_token()
+
+        if 'generic_headers' in kwargs:
+            generic_headers = kwargs['generic_headers']
+            super(OkeWorkloadIdentityResourcePrincipalSigner, self).__init__(self.security_token.security_token,
+                                                                             self.session_key_supplier.get_key_pair()['private'],
+                                                                             generic_headers=generic_headers)
+        else:
+            super(OkeWorkloadIdentityResourcePrincipalSigner, self).__init__(self.security_token.security_token,
+                                                                             self.session_key_supplier.get_key_pair()['private'])
+
+    def _initialize_and_return_region(self, region_raw=None):
+        if hasattr(self, 'region'):
+            return self.region
+
+        if region_raw is None:
+            return None
+
+        # The region should be something like "us-phoenix-1" but if we get "phx" then convert it.
+        if region_raw in oci.regions.REGIONS_SHORT_NAMES:
+            self.region = oci.regions.REGIONS_SHORT_NAMES[region_raw]
+        else:
+            self.region = region_raw
+
+        return self.region
+
+    def get_security_token(self):
+        """
+        Returns the security token. If it is expired, refresh the token.
+        """
+        if hasattr(self, 'security_token'):
+            if self.security_token.valid_with_half_expiration_time():
+                return self.security_token.security_token
+
+        return self._refresh_security_token_inner()
+
+    def refresh_security_token(self):
+        """
+        Refresh the security token
+        """
+        return self._refresh_security_token_inner()
+
+    def _refresh_security_token_inner(self):
+        self._reset_signers_lock.acquire()
+        try:
+            self.session_key_supplier.refresh()
+            self.cert_retriever.refresh()
+            self.retry_strategy.make_retrying_call(self._get_resource_principal_session_token)
+            self._reset_signers()
+            return self.security_token.security_token
+        finally:
+            self._reset_signers_lock.release()
+
+    def _reset_signers(self):
+        self.api_key = SECURITY_TOKEN_FORMAT_STRING.format(self.security_token.security_token)
+        self.private_key = self.session_key_supplier.get_key_pair()['private']
+
+        if hasattr(self, '_basic_signer'):
+            self._basic_signer.reset_signer(self.api_key, self.private_key)
+        if hasattr(self, '_body_signer'):
+            self._body_signer.reset_signer(self.api_key, self.private_key)
+
+    def _get_resource_principal_session_token(self):
+        request_payload = {
+            "podKey": auth_utils.sanitize_certificate_string(self.session_key_supplier.get_key_pair()['public'].public_bytes(Encoding.PEM, PublicFormat.SubjectPublicKeyInfo))
+        }
+
+        opc_request_id = auth_utils.generate_opc_request_id()
+        sa_token = self.sa_token_provider.get_sa_token()
+        headers = {
+            "Authorization": "Bearer " + sa_token,
+            "Content-type": "application/json",
+            "opc-request-id": opc_request_id
+        }
+
+        self.logger.debug("Requesting token from : {} ".format(self.proxymux_endpoint))
+        response = self.requests_session.post(self.proxymux_endpoint, json=request_payload, headers=headers, verify=self.sa_cert_path, timeout=(10, 60))
+        self.logger.debug("Receiving token response......\n{}\n".format(pprint.pformat(
+            {"status_code": response.status_code, "url": response.url, "header": dict(response.headers.items()),
+             "reason": response.reason}, indent=2)))
+
+        if not response.ok:
+            raise oci.exceptions.ServiceError(
+                response.status_code,
+                response.reason,
+                response.headers,
+                "Failed to get RPST token from proxymux")
+
+        try:
+            decoded_response = base64.b64decode(response.content).decode("UTF-8")
+        except ValueError:
+            error_text = "Unable to decode the response from auth service ({}): {}. Please contact OKE team for help.".format(self.proxymux_endpoint, response.text)
+            raise RuntimeError(error_text)
+
+        if 'token' in decoded_response:
+            response_json = json.loads(decoded_response)
+            self.security_token = SecurityTokenContainer(self.session_key_supplier, response_json['token'][3:])
+        else:
+            error_text = "Could not find token in the decoded response from auth service ({}): {}.".format(self.proxymux_endpoint, decoded_response)
+            raise RuntimeError(error_text)

oci/auth/signers/resource_principals_federation_signer.py

@@ -29,7 +29,7 @@ class ResourcePrincipalsFederationSigner(SecurityTokenSigner):
                                                         path for resource principal token. If not set, use
                                                         DefaultRptPathProvider to determine the path
         """
-        self.resource_principal_token_path_provider = resource_principal_token_path_provider or DefaultRptPathProvider()
+        self.resource_principal_token_path_provider = resource_principal_token_path_provider or DefaultRptPathProvider(**kwargs)
         self.resource_principal_token_path = self.resource_principal_token_path_provider.get_path()
 
         self._reset_signers_lock = threading.Lock()

oci/auth/signers/resource_principals_signer.py

@@ -8,6 +8,9 @@ from .resource_principals_delegation_token_signer import ResourcePrincipalsDeleg
 from .ephemeral_resource_principals_signer import EphemeralResourcePrincipalSigner
 from .ephemeral_resource_principals_delegation_token_signer import EphemeralResourcePrincipalsDelegationTokenSigner
 from .ephemeral_resource_principals_v21_signer import EphemeralResourcePrincipalV21Signer
+from .oke_workload_identity_resource_principal_signer import OkeWorkloadIdentityResourcePrincipalSigner
+from ..rpt_path_providers import DefaultServiceAccountTokenProvider, SuppliedServiceAccountTokenProvider
+from .nested_resource_principals_signer import NestedResourcePrincipals
 
 OCI_RESOURCE_PRINCIPAL_VERSION = "OCI_RESOURCE_PRINCIPAL_VERSION"
 OCI_RESOURCE_PRINCIPAL_RPST = "OCI_RESOURCE_PRINCIPAL_RPST"
@@ -19,6 +22,33 @@ OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT = "OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT"
 OCI_RESOURCE_PRINCIPAL_RESOURCE_ID = "OCI_RESOURCE_PRINCIPAL_RESOURCE_ID"
 OCI_RESOURCE_PRINCIPAL_TENANCY_ID = "OCI_RESOURCE_PRINCIPAL_TENANCY_ID"
 
+# Resource Principal v3.0
+OCI_RESOURCE_PRINCIPAL_VERSION_FOR_LEAF_RESOURCE = "OCI_RESOURCE_PRINCIPAL_VERSION_FOR_LEAF_RESOURCE"
+# For 1.1 LEAF-resource
+OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT_FOR_LEAF_RESOURCE = "OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT_FOR_LEAF_RESOURCE"
+OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT_FOR_LEAF_RESOURCE = "OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT_FOR_LEAF_RESOURCE"
+# For 2.2 LEAF-resource
+OCI_RESOURCE_PRINCIPAL_RPST_FOR_LEAF_RESOURCE = "OCI_RESOURCE_PRINCIPAL_RPST_FOR_LEAF_RESOURCE"
+OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_FOR_LEAF_RESOURCE = "OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_FOR_LEAF_RESOURCE"
+OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE_FOR_LEAF_RESOURCE = "OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE_FOR_LEAF_RESOURCE"
+OCI_RESOURCE_PRINCIPAL_REGION_FOR_LEAF_RESOURCE = "OCI_RESOURCE_PRINCIPAL_REGION_FOR_LEAF_RESOURCE"
+# For 2.1/2.1.1 LEAF-resource
+OCI_RESOURCE_PRINCIPAL_RESOURCE_ID_FOR_LEAF_RESOURCE = "OCI_RESOURCE_PRINCIPAL_RESOURCE_ID_FOR_LEAF_RESOURCE"
+OCI_RESOURCE_PRINCIPAL_TENANCY_ID_FOR_LEAF_RESOURCE = "OCI_RESOURCE_PRINCIPAL_TENANCY_ID_FOR_LEAF_RESOURCE"
+# For Parent Resource
+OCI_RESOURCE_PRINCIPAL_RPT_URL_FOR_PARENT_RESOURCE = "OCI_RESOURCE_PRINCIPAL_RPT_URL_FOR_PARENT_RESOURCE"
+OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT_FOR_PARENT_RESOURCE = "OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT_FOR_PARENT_RESOURCE"
+OCI_RESOURCE_PRINCIPAL_RPT_PATH_FOR_PARENT_RESOURCE = "OCI_RESOURCE_PRINCIPAL_RPT_PATH_FOR_PARENT_RESOURCE"
+OCI_RESOURCE_PRINCIPAL_RPT_ID_FOR_PARENT_RESOURCE = "OCI_RESOURCE_PRINCIPAL_RPT_ID_FOR_PARENT_RESOURCE"
+OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT_FOR_PARENT_RESOURCE = "OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT_FOR_PARENT_RESOURCE"
+MAX_NESTED_PARENT_DEPTH = 10
+
+OCI_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+DEFAULT_OCI_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+OCI_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH = "OCI_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH"
+OCI_KUBERNETES_PROXYMUX_SERVICE_PORT = "12250"
+KUBERNETES_SERVICE_HOST = "KUBERNETES_SERVICE_HOST"
+
 
 def get_resource_principals_signer(resource_principal_token_path_provider=None):
     """
@@ -30,6 +60,95 @@ def get_resource_principals_signer(resource_principal_token_path_provider=None):
     """
 
     rp_version = os.environ.get(OCI_RESOURCE_PRINCIPAL_VERSION, "UNDEFINED")
+    if rp_version == "3.0":
+        """
+            This signer utilizes a resource principals signer for the LEAF-resource, via the following environment variable:-
+            - OCI_RESOURCE_PRINCIPAL_VERSION_FOR_LEAF_RESOURCE
+                Based on the value of this variable we need different environment variable set.
+
+            For 1.1 it needs:
+            - OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT_FOR_LEAF_RESOURCE The endpoint for retrieving the Resource Principal Token for LEAF-resource
+            - OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT_FOR_LEAF_RESOURCE The endpoint for retrieving the Resource Principal Session Token for LEAF-resource
+
+            For 2.1/2.1.1 it needs:
+            - OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT_FOR_LEAF_RESOURCE: The endpoint for retrieving the Resource Principal Token
+            - OCI_RESOURCE_PRINCIPAL_RESOURCE_ID_FOR_LEAF_RESOURCE: The RPv2.1/Rpv2.1.1 resource id
+            - OCI_RESOURCE_PRINCIPAL_TENANCY_ID_FOR_LEAF_RESOURCE: The RPv2.1.1 tenancy id
+            - OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_FOR_LEAF_RESOURCE: The private key in PEM format
+            - OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE_FOR_LEAF_RESOURCE: The (optional) passphrase for the private key
+            - OCI_RESOURCE_PRINCIPAL_REGION_FOR_LEAF_RESOURCE: the canonical region name
+
+            For 2.2 it needs:
+            - OCI_RESOURCE_PRINCIPAL_RPST_FOR_LEAF_RESOURCE: the Resource Principals Session Token
+            - OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_FOR_LEAF_RESOURCE: the private key in PEM format
+            - OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE_FOR_LEAF_RESOURCE: the (optional) passphrase for the private key
+            - OCI_RESOURCE_PRINCIPAL_REGION_FOR_LEAF_RESOURCE: the canonical region name
+
+            For the Parent resource the following environment variables need to be set:-
+            - OCI_RESOURCE_PRINCIPAL_RPT_URL_FOR_PARENT_RESOURCE: The complete URL including API and resource if any to retrieve Resource Principal Token for the parent resource.
+            - OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT_FOR_PARENT_RESOURCE: The endpoint for retrieving the Resource Principal Session Token for parent resource
+        """
+        # Step 1: Get the Resource Principals signer for the sub resource.
+        resource_principal_version_for_leaf_resource = os.environ.get(OCI_RESOURCE_PRINCIPAL_VERSION_FOR_LEAF_RESOURCE)
+        if resource_principal_version_for_leaf_resource == "2.2":
+            resource_session_token_for_leaf_resource = os.environ.get(OCI_RESOURCE_PRINCIPAL_RPST_FOR_LEAF_RESOURCE)
+            private_key_for_leaf_resource = os.environ.get(OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_FOR_LEAF_RESOURCE)
+            private_key_passphrase_for_leaf_resource = os.environ.get(OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE_FOR_LEAF_RESOURCE)
+            region_for_leaf_resource = os.environ.get(OCI_RESOURCE_PRINCIPAL_REGION_FOR_LEAF_RESOURCE)
+
+            leaf_resource_rp_signer = EphemeralResourcePrincipalSigner(session_token=resource_session_token_for_leaf_resource,
+                                                                       private_key=private_key_for_leaf_resource,
+                                                                       private_key_passphrase=private_key_passphrase_for_leaf_resource,
+                                                                       region=region_for_leaf_resource)
+        elif resource_principal_version_for_leaf_resource in ["2.1", "2.1.1"]:
+            resource_principal_token_endpoint_for_leaf_resource = os.environ.get(OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT_FOR_LEAF_RESOURCE)
+            resource_principal_session_token_endpoint_for_leaf_resource = os.environ.get(OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT_FOR_LEAF_RESOURCE)
+            resource_id_for_leaf_resource = os.environ.get(OCI_RESOURCE_PRINCIPAL_RESOURCE_ID_FOR_LEAF_RESOURCE)
+            tenancy_id_for_leaf_resource = os.environ.get(OCI_RESOURCE_PRINCIPAL_TENANCY_ID_FOR_LEAF_RESOURCE)
+            private_key_for_leaf_resource = os.environ.get(OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_FOR_LEAF_RESOURCE)
+            private_key_passphrase_for_leaf_resource = os.environ.get(OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE_FOR_LEAF_RESOURCE)
+            region_for_leaf_resource = os.environ.get(OCI_RESOURCE_PRINCIPAL_REGION_FOR_LEAF_RESOURCE)
+
+            leaf_resource_rp_signer = EphemeralResourcePrincipalV21Signer(resource_principal_token_endpoint=resource_principal_token_endpoint_for_leaf_resource,
+                                                                          resource_principal_session_token_endpoint=resource_principal_session_token_endpoint_for_leaf_resource,
+                                                                          resource_id=resource_id_for_leaf_resource,
+                                                                          tenancy_id=tenancy_id_for_leaf_resource,
+                                                                          private_key=private_key_for_leaf_resource,
+                                                                          private_key_passphrase=private_key_passphrase_for_leaf_resource,
+                                                                          rp_version=rp_version,
+                                                                          region=region_for_leaf_resource)
+        elif resource_principal_version_for_leaf_resource == "1.1":
+            resource_principal_token_endpoint_for_leaf_resource = os.environ.get(OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT_FOR_LEAF_RESOURCE)
+            resource_principal_session_token_endpoint_for_leaf_resource = os.environ.get(OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT_FOR_LEAF_RESOURCE)
+            leaf_resource_rp_signer = ResourcePrincipalsFederationSigner(resource_principal_token_endpoint=resource_principal_token_endpoint_for_leaf_resource,
+                                                                         resource_principal_session_token_endpoint=resource_principal_session_token_endpoint_for_leaf_resource,
+                                                                         resource_principal_token_path_provider=resource_principal_token_path_provider,
+                                                                         child_resource=True)
+        else:
+            raise EnvironmentError("Unsupported {}: {}".format(OCI_RESOURCE_PRINCIPAL_VERSION_FOR_LEAF_RESOURCE, resource_principal_version_for_leaf_resource))
+
+        # Get values for First Parent Resource
+        resource_principal_rpt_url = os.environ.get(OCI_RESOURCE_PRINCIPAL_RPT_URL_FOR_PARENT_RESOURCE)
+        resource_principal_session_token_endpoint = os.environ.get(OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT_FOR_PARENT_RESOURCE)
+        nested_resource_principal = NestedResourcePrincipals(resource_principal_rpt_url=resource_principal_rpt_url,
+                                                             resource_principal_session_token_endpoint=resource_principal_session_token_endpoint,
+                                                             sub_resource_rp_signer=leaf_resource_rp_signer)
+
+        # Terminal case when we reach terminal parent.
+        if nested_resource_principal.nested_parent_rpt_url is None:
+            return nested_resource_principal
+        # If the recursion level for N level parent reaches MAX_NESTED_PARENT_DEPTH or the response HEADER contains
+        # the same endpoint as the one it already has we will treat it as the terminal condition for recursion end
+        elif nested_resource_principal.current_parent_depth >= MAX_NESTED_PARENT_DEPTH \
+                or nested_resource_principal.nested_parent_rpt_url == nested_resource_principal.resource_principal_token_endpoint:
+            raise AttributeError("The nested resource principals went over the max allowed recursion {}, or detected a cycle!".format(MAX_NESTED_PARENT_DEPTH))
+        # We have another parent, so we create a new signer based off that
+        else:
+            return NestedResourcePrincipals(resource_principal_rpt_url=nested_resource_principal.nested_parent_rpt_url,
+                                            resource_principal_session_token_endpoint=resource_principal_session_token_endpoint,
+                                            sub_resource_rp_signer=nested_resource_principal,
+                                            current_parent_depth=nested_resource_principal.current_parent_depth + 1)
+
     if rp_version == "2.2":
         """
         This signer takes its configuration from the following environment variables.
@@ -49,7 +168,7 @@ def get_resource_principals_signer(resource_principal_token_path_provider=None):
 
         - OCI_RESOURCE_PRINCIPAL_REGION: the canonical region name
 
-            This is utilised in locating the "local" endpoints of services.
+            This is utilized in locating the "local" endpoints of services.
         """
         session_token = os.environ.get(OCI_RESOURCE_PRINCIPAL_RPST)
         private_key = os.environ.get(OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM)
@@ -70,6 +189,7 @@ def get_resource_principals_signer(resource_principal_token_path_provider=None):
             - OCI_RESOURCE_PRINCIPAL_TENANCY_ID: The RPv2.1.1 tenancy id
             - OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM: The private key in PEM format
             - OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE: The (optional) passphrase for the private key
+            - OCI_RESOURCE_PRINCIPAL_REGION: The (optional) canonical region name
         """
         resource_principal_token_endpoint = os.environ.get(OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT)
         resource_principal_session_token_endpoint = os.environ.get(OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT)
@@ -77,6 +197,7 @@ def get_resource_principals_signer(resource_principal_token_path_provider=None):
         tenancy_id = os.environ.get(OCI_RESOURCE_PRINCIPAL_TENANCY_ID)
         private_key = os.environ.get(OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM)
         private_key_passphrase = os.environ.get(OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE)
+        region = os.environ.get(OCI_RESOURCE_PRINCIPAL_REGION)
 
         return EphemeralResourcePrincipalV21Signer(resource_principal_token_endpoint=resource_principal_token_endpoint,
                                                    resource_principal_session_token_endpoint=resource_principal_session_token_endpoint,
@@ -84,13 +205,14 @@ def get_resource_principals_signer(resource_principal_token_path_provider=None):
                                                    tenancy_id=tenancy_id,
                                                    private_key=private_key,
                                                    private_key_passphrase=private_key_passphrase,
-                                                   rp_version=rp_version)
+                                                   rp_version=rp_version,
+                                                   region=region)
 
     elif rp_version == "1.1":
         """
-        This signer takes its configuration from the following environement variables
+        This signer takes its configuration from the following environment variables
         - OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT
-            The endpoint for retreiving the Resource Principal Token
+            The endpoint for retrieving the Resource Principal Token
         - OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT
             The endpoint for retrieving the Resource Principal Session Token
         """
@@ -135,7 +257,7 @@ def get_resource_principal_delegation_token_signer(delegation_token, resource_pr
 
         - OCI_RESOURCE_PRINCIPAL_REGION: the canonical region name
 
-            This is utilised in locating the "local" endpoints of services.
+            This is utilized in locating the "local" endpoints of services.
         """
         session_token = os.environ.get(OCI_RESOURCE_PRINCIPAL_RPST)
         private_key = os.environ.get(OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM)
@@ -160,3 +282,25 @@ def get_resource_principal_delegation_token_signer(delegation_token, resource_pr
         raise EnvironmentError("{} is not defined".format(OCI_RESOURCE_PRINCIPAL_VERSION))
     else:
         raise EnvironmentError("Unsupported {}: {}".format(OCI_RESOURCE_PRINCIPAL_VERSION, rp_version))
+
+
+def get_oke_workload_identity_resource_principal_signer(service_account_token_path=None, service_account_token=None, **kwargs):
+    sa_cert_path = os.environ.get(OCI_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH, None)
+    if sa_cert_path is None:
+        sa_cert_path = DEFAULT_OCI_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH
+
+    if service_account_token is None:
+        sa_token_provider = DefaultServiceAccountTokenProvider()
+        if service_account_token_path is not None:
+            sa_token_provider.override_sa_token_path(service_account_token_path)
+    else:
+        sa_token_provider = SuppliedServiceAccountTokenProvider(token_string=service_account_token)
+    service_host = os.environ.get(KUBERNETES_SERVICE_HOST)
+    region = os.environ.get(OCI_RESOURCE_PRINCIPAL_REGION)
+
+    return OkeWorkloadIdentityResourcePrincipalSigner(sa_token_provider=sa_token_provider,
+                                                      sa_cert_path=sa_cert_path,
+                                                      service_host=service_host,
+                                                      service_port=OCI_KUBERNETES_PROXYMUX_SERVICE_PORT,
+                                                      region=region,
+                                                      **kwargs)