Class: Google::Auth::ServiceAccountCredentials
- Inherits:
-
Signet::OAuth2::Client
- Object
- Signet::OAuth2::Client
- Google::Auth::ServiceAccountCredentials
- Extended by:
- CredentialsLoader, JsonKeyReader
- Defined in:
- lib/googleauth/service_account.rb
Overview
Authenticates requests using Google's Service Account credentials via an OAuth access token.
This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via 'Generate new Json Key').
Constant Summary collapse
- TOKEN_CRED_URI =
"https://www.googleapis.com/oauth2/v4/token".freeze
Constants included from CredentialsLoader
CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::AWS_ACCESS_KEY_ID_VAR, CredentialsLoader::AWS_DEFAULT_REGION_VAR, CredentialsLoader::AWS_REGION_VAR, CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR, CredentialsLoader::AWS_SESSION_TOKEN_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::GCLOUD_CONFIG_COMMAND, CredentialsLoader::GCLOUD_POSIX_COMMAND, CredentialsLoader::GCLOUD_WINDOWS_COMMAND, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::PROJECT_ID_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH
Constants included from BaseClient
Instance Attribute Summary collapse
-
#project_id ⇒ Object
readonly
Returns the value of attribute project_id.
-
#quota_project_id ⇒ Object
readonly
Returns the value of attribute quota_project_id.
Class Method Summary collapse
-
.make_creds(options = {}) ⇒ Object
Creates a ServiceAccountCredentials.
-
.unescape(str) ⇒ Object
Handles certain escape sequences that sometimes appear in input.
Instance Method Summary collapse
-
#apply!(a_hash, opts = {}) ⇒ Object
Extends the base class to use a transient ServiceAccountJwtHeaderCredentials for certain cases.
- #enable_self_signed_jwt? ⇒ Boolean
-
#initialize(options = {}) ⇒ ServiceAccountCredentials
constructor
A new instance of ServiceAccountCredentials.
Methods included from CredentialsLoader
from_env, from_system_default_path, from_well_known_path, load_gcloud_project_id, make_creds
Methods included from JsonKeyReader
Methods inherited from Signet::OAuth2::Client
#build_default_connection, #configure_connection, #fetch_access_token!, #orig_fetch_access_token!, #retry_with_error, #token_type
Methods included from BaseClient
#apply, #expires_within?, #needs_access_token?, #notify_refresh_listeners, #on_refresh, #updater_proc
Constructor Details
#initialize(options = {}) ⇒ ServiceAccountCredentials
Returns a new instance of ServiceAccountCredentials.
86 87 88 89 90 91 |
# File 'lib/googleauth/service_account.rb', line 86 def initialize = {} @project_id = [:project_id] @quota_project_id = [:quota_project_id] @enable_self_signed_jwt = [:enable_self_signed_jwt] ? true : false super end |
Instance Attribute Details
#project_id ⇒ Object (readonly)
Returns the value of attribute project_id.
38 39 40 |
# File 'lib/googleauth/service_account.rb', line 38 def project_id @project_id end |
#quota_project_id ⇒ Object (readonly)
Returns the value of attribute quota_project_id.
39 40 41 |
# File 'lib/googleauth/service_account.rb', line 39 def quota_project_id @quota_project_id end |
Class Method Details
.make_creds(options = {}) ⇒ Object
Creates a ServiceAccountCredentials.
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
# File 'lib/googleauth/service_account.rb', line 49 def self.make_creds = {} json_key_io, scope, enable_self_signed_jwt, target_audience, audience, token_credential_uri = .values_at :json_key_io, :scope, :enable_self_signed_jwt, :target_audience, :audience, :token_credential_uri raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience if json_key_io private_key, client_email, project_id, quota_project_id = read_json_key json_key_io else private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR] client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR] project_id = ENV[CredentialsLoader::PROJECT_ID_VAR] quota_project_id = nil end project_id ||= CredentialsLoader.load_gcloud_project_id new(token_credential_uri: token_credential_uri || TOKEN_CRED_URI, audience: audience || TOKEN_CRED_URI, scope: scope, enable_self_signed_jwt: enable_self_signed_jwt, target_audience: target_audience, issuer: client_email, signing_key: OpenSSL::PKey::RSA.new(private_key), project_id: project_id, quota_project_id: quota_project_id) .configure_connection() end |
.unescape(str) ⇒ Object
Handles certain escape sequences that sometimes appear in input. Specifically, interprets the "\n" sequence for newline, and removes enclosing quotes.
80 81 82 83 84 |
# File 'lib/googleauth/service_account.rb', line 80 def self.unescape str str = str.gsub '\n', "\n" str = str[1..-2] if str.start_with?('"') && str.end_with?('"') str end |
Instance Method Details
#apply!(a_hash, opts = {}) ⇒ Object
Extends the base class to use a transient ServiceAccountJwtHeaderCredentials for certain cases.
95 96 97 98 99 100 101 102 103 104 |
# File 'lib/googleauth/service_account.rb', line 95 def apply! a_hash, opts = {} # Use a self-singed JWT if there's no information that can be used to # obtain an OAuth token, OR if there are scopes but also an assertion # that they are default scopes that shouldn't be used to fetch a token. if target_audience.nil? && (scope.nil? || enable_self_signed_jwt?) apply_self_signed_jwt! a_hash else super end end |
#enable_self_signed_jwt? ⇒ Boolean
41 42 43 |
# File 'lib/googleauth/service_account.rb', line 41 def enable_self_signed_jwt? @enable_self_signed_jwt end |