Module: Google::Auth::Extras

Extended by:
Extras
Included in:
Extras
Defined in:
lib/google/auth/extras.rb,
lib/google/auth/extras/version.rb,
lib/google/auth/extras/token_info.rb,
lib/google/auth/extras/static_credential.rb,
lib/google/auth/extras/impersonated_credential.rb,
lib/google/auth/extras/identity_credential_refresh_patch.rb

Overview

This module provides some extra features not supported in the normal googleauth gem.

Defined Under Namespace

Modules: IdentityCredentialRefreshPatch, TokenInfo Classes: ImpersonatedCredential, RefreshNotSupported, StaticCredential

Constant Summary collapse

VERSION = 
'0.4.0'

Instance Method Summary collapse

Instance Method Details

#impersonated_authorization(email_address:, base_credentials: nil, delegate_email_addresses: nil, include_email: nil, lifetime: nil, quota_project_id: nil, scope: nil, target_audience: nil) ⇒ Google::Auth::Extras::ImpersonatedCredential

A credential that impersonates a service account. For usage with the older style GCP Ruby SDKs from the google-apis-* gems.

The ‘email_address` of the service account to impersonate may be the exact same as the one represented in `base_credentials` for any desired situation but a handy usage is for going from and access token to an ID token (aka using `target_audience`).

Parameters:

  • base_credentials (Hash, String, Signet::OAuth2::Client) (defaults to: nil)

    Credentials to use to impersonate the provided email address.

  • delegate_email_addresses (String, Array<String>) (defaults to: nil)

    The list of email address if there are intermediate service accounts that need to be impersonated using delegation.

  • email_address (String)

    Email of the service account to impersonate.

  • include_email (Boolean) (defaults to: nil)

    Include the service account email in the token. If set to true, the token will contain email and email_verified claims. Only supported when using a target_audience.

  • lifetime (String) (defaults to: nil)

    The desired lifetime (in seconds) of the token before needing to be refreshed. Defaults to 1h, adjust as needed given a refresh is automatically performed when the token less than 60s of remaining life and refresh requires an additional API call. Only supported when not using a target_audience.

  • quota_project_id (String) (defaults to: nil)

    The project ID used for quota and billing. This project may be different from the project used to create the credentials.

  • scope (String, Array<String>) (defaults to: nil)

    The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array. Only supported when not using a target_audience.

Returns:

See Also:



68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
# File 'lib/google/auth/extras.rb', line 68

def impersonated_authorization(
  email_address:,
  base_credentials: nil,
  delegate_email_addresses: nil,
  include_email: nil,
  lifetime: nil,
  quota_project_id: nil,
  scope: nil,
  target_audience: nil
)
  ImpersonatedCredential.new(
    base_credentials: base_credentials,
    delegate_email_addresses: delegate_email_addresses,
    email_address: email_address,
    include_email: include_email,
    lifetime: lifetime,
    quota_project_id: quota_project_id,
    scope: scope,
    target_audience: target_audience,
  )
end

#impersonated_credential(email_address:, base_credentials: nil, delegate_email_addresses: nil, include_email: nil, lifetime: nil, quota_project_id: nil, scope: nil, target_audience: nil) ⇒ Google::Auth::Credential<Google::Auth::Extras::ImpersonatedCredential>

A credential that impersonates a service account. For usage with the newer style GCP Ruby SDKs from the google-cloud-* gems.

Parameters:

  • base_credentials (Hash, String, Signet::OAuth2::Client) (defaults to: nil)

    Credentials to use to impersonate the provided email address.

  • delegate_email_addresses (String, Array<String>) (defaults to: nil)

    The list of email address if there are intermediate service accounts that need to be impersonated using delegation.

  • email_address (String)

    Email of the service account to impersonate.

  • include_email (Boolean) (defaults to: nil)

    Include the service account email in the token. If set to true, the token will contain email and email_verified claims. Only supported when using a target_audience.

  • lifetime (String) (defaults to: nil)

    The desired lifetime (in seconds) of the token before needing to be refreshed. Defaults to 1h, adjust as needed given a refresh is automatically performed when the token less than 60s of remaining life and refresh requires an additional API call. Only supported when not using a target_audience.

  • quota_project_id (String) (defaults to: nil)

    The project ID used for quota and billing. This project may be different from the project used to create the credentials.

  • scope (String, Array<String>) (defaults to: nil)

    The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array. Only supported when not using a target_audience.

Returns:

See Also:



130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
 
# File 'lib/google/auth/extras.rb', line 130

def impersonated_credential(
  email_address:,
  base_credentials: nil,
  delegate_email_addresses: nil,
  include_email: nil,
  lifetime: nil,
  quota_project_id: nil,
  scope: nil,
  target_audience: nil
)
  wrap_authorization(
    impersonated_authorization(
      base_credentials: base_credentials,
      delegate_email_addresses: delegate_email_addresses,
      email_address: email_address,
      include_email: include_email,
      lifetime: lifetime,
      quota_project_id: quota_project_id,
      scope: scope,
      target_audience: target_audience,
    ),
  )
end

#static_authorization(token, quota_project_id: nil) ⇒ Google::Auth::Extras::StaticCredential

A credential using a static access token. For usage with the older style GCP Ruby SDKs from the google-apis-* gems.

Parameters:

  • token (String)

    The access token to use.

  • quota_project_id (String) (defaults to: nil)

    The project ID used for quota and billing. This project may be different from the project used to create the credentials.

Returns:



167
168
169
 
# File 'lib/google/auth/extras.rb', line 167

def static_authorization(token, quota_project_id: nil)
  StaticCredential.new(access_token: token, quota_project_id: quota_project_id)
end

#static_credential(token, quota_project_id: nil) ⇒ Google::Auth::Credential<Google::Auth::Extras::StaticCredential>

A credential using a static access token. For usage with the newer style GCP Ruby SDKs from the google-cloud-* gems.

Parameters:

  • token (String)

    The access token to use.

  • quota_project_id (String) (defaults to: nil)

    The project ID used for quota and billing. This project may be different from the project used to create the credentials.

Returns:



183
184
185
 
# File 'lib/google/auth/extras.rb', line 183

def static_credential(token, quota_project_id: nil)
  wrap_authorization(static_authorization(token, quota_project_id: quota_project_id))
end

#wrap_authorization(client) ⇒ Google::Auth::Credential

Take an authorization and turn it into a credential, primarily used for setting up both the old and new style SDKs.

Parameters:

  • client (Signet::OAuth2::Client)

    Authorization credential to wrap.

Returns:

  • (Google::Auth::Credential) 


195
196
197
 
# File 'lib/google/auth/extras.rb', line 195

def wrap_authorization(client)
  ::Google::Auth::Credentials.new(client)
end