Class: Google::Auth::ServiceAccountCredentials

Inherits:

Signet::OAuth2::Client

Object
Signet::OAuth2::Client
Google::Auth::ServiceAccountCredentials

Extended by:: CredentialsLoader, JsonKeyReader

Defined in:: lib/googleauth/service_account.rb

Overview

Authenticates requests using Google's Service Account credentials via an OAuth access token.

This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via 'Generate new Json Key').

cf Application Default Credentials

Constant Summary collapse

TOKEN_CRED_URI =

"https://www.googleapis.com/oauth2/v4/token".freeze

Constants included from CredentialsLoader

Constants included from BaseClient

BaseClient::AUTH_METADATA_KEY

Instance Attribute Summary collapse

#project_id ⇒ Object readonly
Returns the value of attribute project_id.
#quota_project_id ⇒ Object readonly
Returns the value of attribute quota_project_id.

Attributes inherited from Signet::OAuth2::Client

#universe_domain

Class Method Summary collapse

.make_creds(options = {}) ⇒ Object
Creates a ServiceAccountCredentials.
.unescape(str) ⇒ Object
Handles certain escape sequences that sometimes appear in input.

Instance Method Summary collapse

#apply!(a_hash, opts = {}) ⇒ Object
Extends the base class to use a transient ServiceAccountJwtHeaderCredentials for certain cases.
#enable_self_signed_jwt? ⇒ Boolean
#initialize(options = {}) ⇒ ServiceAccountCredentials constructor
A new instance of ServiceAccountCredentials.

Constructor Details

#initialize(options = {}) ⇒ `ServiceAccountCredentials`

Returns a new instance of ServiceAccountCredentials.

# File 'lib/googleauth/service_account.rb', line 88

def initialize options = {}
  @project_id = options[:project_id]
  @quota_project_id = options[:quota_project_id]
  @enable_self_signed_jwt = options[:enable_self_signed_jwt] ? true : false
  super options
end

Instance Attribute Details

#project_id ⇒ `Object` (readonly)

Returns the value of attribute project_id.



38
39
40

# File 'lib/googleauth/service_account.rb', line 38

def project_id
  @project_id
end

#quota_project_id ⇒ `Object` (readonly)

Returns the value of attribute quota_project_id.



39
40
41

# File 'lib/googleauth/service_account.rb', line 39

def quota_project_id
  @quota_project_id
end

Class Method Details

.make_creds(options = {}) ⇒ `Object`

Creates a ServiceAccountCredentials.

Parameters:

json_key_io (IO) —
an IO from which the JSON key can be read
scope (string|array|nil) —
the scope(s) to access

Raises:

(ArgumentError)

# File 'lib/googleauth/service_account.rb', line 49

def self.make_creds options = {}
  json_key_io, scope, enable_self_signed_jwt, target_audience, audience, token_credential_uri =
    options.values_at :json_key_io, :scope, :enable_self_signed_jwt, :target_audience,
                      :audience, :token_credential_uri
  raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience

  if json_key_io
    private_key, client_email, project_id, quota_project_id, universe_domain = read_json_key json_key_io
  else
    private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
    client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
    project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
    quota_project_id = nil
    universe_domain = nil
  end
  project_id ||= CredentialsLoader.load_gcloud_project_id

  new(token_credential_uri:   token_credential_uri || TOKEN_CRED_URI,
      audience:               audience || TOKEN_CRED_URI,
      scope:                  scope,
      enable_self_signed_jwt: enable_self_signed_jwt,
      target_audience:        target_audience,
      issuer:                 client_email,
      signing_key:            OpenSSL::PKey::RSA.new(private_key),
      project_id:             project_id,
      quota_project_id:       quota_project_id,
      universe_domain:        universe_domain || "googleapis.com")
    .configure_connection(options)
end

.unescape(str) ⇒ `Object`

Handles certain escape sequences that sometimes appear in input. Specifically, interprets the "\n" sequence for newline, and removes enclosing quotes.

# File 'lib/googleauth/service_account.rb', line 82

def self.unescape str
  str = str.gsub '\n', "\n"
  str = str[1..-2] if str.start_with?('"') && str.end_with?('"')
  str
end

Instance Method Details

#apply!(a_hash, opts = {}) ⇒ `Object`

Extends the base class to use a transient ServiceAccountJwtHeaderCredentials for certain cases.

# File 'lib/googleauth/service_account.rb', line 97

def apply! a_hash, opts = {}
  # Use a self-singed JWT if there's no information that can be used to
  # obtain an OAuth token, OR if there are scopes but also an assertion
  # that they are default scopes that shouldn't be used to fetch a token,
  # OR we are not in the default universe and thus OAuth isn't supported.
  if target_audience.nil? && (scope.nil? || enable_self_signed_jwt? || universe_domain != "googleapis.com")
    apply_self_signed_jwt! a_hash
  else
    super
  end
end

#enable_self_signed_jwt? ⇒ `Boolean`

Returns:

(Boolean)



41
42
43

# File 'lib/googleauth/service_account.rb', line 41

def enable_self_signed_jwt?
  @enable_self_signed_jwt
end

Class: Google::Auth::ServiceAccountCredentials

Overview

Constant Summary collapse

Constants included from CredentialsLoader

Constants included from BaseClient

Instance Attribute Summary collapse

Attributes inherited from Signet::OAuth2::Client

Class Method Summary collapse

Instance Method Summary collapse

Methods included from CredentialsLoader

Methods included from JsonKeyReader

Methods inherited from Signet::OAuth2::Client

Methods included from BaseClient

Constructor Details

#initialize(options = {}) ⇒ ServiceAccountCredentials

Instance Attribute Details

#project_id ⇒ Object (readonly)

#quota_project_id ⇒ Object (readonly)

Class Method Details

.make_creds(options = {}) ⇒ Object

.unescape(str) ⇒ Object