class Google::Auth::ExternalAccount::Credentials

Provides an entrypoint for all Exernal Account credential classes.

def self.make_creds options = {}

Raises:
  • (Google::Auth::InitializationError) - If the json file is missing, lacks required fields,

Returns:
  • (Google::Auth::ExternalAccount::AwsCredentials, ) - Google::Auth::ExternalAccount::AwsCredentials,

Options Hash: (**options)
  • :scope (String, Array, nil) -- The scope(s) to access
  • :json_key_io (IO) -- An IO object containing the JSON key

Parameters:
  • options (Hash) -- Options for creating credentials 
def self.make_creds options = {}
  json_key_io, scope = options.values_at :json_key_io, :scope
  raise InitializationError, "A json file is required for external account credentials." unless json_key_io
  CredentialsLoader.load_and_verify_json_key_type json_key_io, CREDENTIAL_TYPE_NAME
  user_creds = read_json_key json_key_io
  # AWS credentials is determined by aws subject token type
  return make_aws_credentials user_creds, scope if user_creds[:subject_token_type] == AWS_SUBJECT_TOKEN_TYPE
  raise InitializationError, MISSING_CREDENTIAL_SOURCE if user_creds[:credential_source].nil?
  user_creds[:scope] = scope
  make_external_account_credentials user_creds
end

def self.read_json_key json_key_io

Raises:
  • (Google::Auth::InitializationError) - If the JSON is missing required fields

Returns:
  • (Hash) - The parsed JSON key

Parameters:
  • json_key_io (IO) -- An IO object containing the JSON key 
def self.read_json_key json_key_io
  json_key = MultiJson.load json_key_io.read, symbolize_keys: true
  wanted = [
    :audience, :subject_token_type, :token_url, :credential_source
  ]
  wanted.each do |key|
    raise InitializationError, "the json is missing the #{key} field" unless json_key.key? key
  end
  json_key
end

def make_aws_credentials user_creds, scope

Returns:
  • (Google::Auth::ExternalAccount::AwsCredentials) - The AWS credentials

Parameters:
  • scope (String, Array, nil) -- The scope(s) to access
  • user_creds (Hash) -- The user credentials containing AWS credential source information 
def make_aws_credentials user_creds, scope
  Google::Auth::ExternalAccount::AwsCredentials.new(
    audience: user_creds[:audience],
    scope: scope,
    subject_token_type: user_creds[:subject_token_type],
    token_url: user_creds[:token_url],
    credential_source: user_creds[:credential_source],
    service_account_impersonation_url: user_creds[:service_account_impersonation_url],
    universe_domain: user_creds[:universe_domain]
  )
end

def make_external_account_credentials user_creds

Raises:
  • (Google::Auth::InitializationError) - If the credential source is not a supported type

Returns:
  • (Google::Auth::ExternalAccount::IdentityPoolCredentials, ) - Google::Auth::ExternalAccount::IdentityPoolCredentials,

Parameters:
  • user_creds (Hash) -- The user credentials containing credential source information 
def make_external_account_credentials user_creds
  unless user_creds[:credential_source][:file].nil? && user_creds[:credential_source][:url].nil?
    return Google::Auth::ExternalAccount::IdentityPoolCredentials.new user_creds
  end
  unless user_creds[:credential_source][:executable].nil?
    return Google::Auth::ExternalAccount::PluggableAuthCredentials.new user_creds
  end
  raise InitializationError, INVALID_EXTERNAL_ACCOUNT_TYPE
end