class Google::Auth::ExternalAccount::IdentityPoolCredentials
provider then exchanging the credentials for a short-lived Google Cloud access token.
This module handles the retrieval of credentials from Google Cloud by utilizing the any 3PI
def file_data
-
(Google::Auth::CredentialsError)- If the source file doesn't exist
Returns:
-
(Array(String, String))- The file content and file path
def file_data unless File.exist? @credential_source_file raise CredentialsError, "File #{@credential_source_file} was not found." end content = File.read @credential_source_file, encoding: "utf-8" [content, @credential_source_file] end
def initialize options = {}
-
(Google::Auth::InitializationError)- If credential_source format is invalid, field_name is missing,
Options Hash:
(**options)-
:credential_source(Hash{Symbol => Object}) -- A hash containing either source file or url. -
:audience(String) -- The audience for the token
Parameters:
-
options(Hash) -- Configuration options
def initialize options = {} base_setup options @audience = options[:audience] @credential_source = options[:credential_source] || {} @credential_source_file = @credential_source[:file] @credential_source_url = @credential_source[:url] @credential_source_headers = @credential_source[:headers] || {} @credential_source_format = @credential_source[:format] || {} @credential_source_format_type = @credential_source_format[:type] || "text" validate_credential_source end
def retrieve_subject_token!
-
(Google::Auth::CredentialsError)- If the token can't be parsed from JSON or is missing
Returns:
-
(String)- The subject token
def retrieve_subject_token! content, resource_name = token_data if @credential_source_format_type == "text" token = content else begin response_data = MultiJson.load content, symbolize_keys: true token = response_data[@credential_source_field_name.to_sym] rescue StandardError raise CredentialsError, "Unable to parse subject_token from JSON resource #{resource_name} " \ "using key #{@credential_source_field_name}" end end raise CredentialsError, "Missing subject_token in the credential_source file/response." unless token token end
def token_data
def token_data @credential_source_file.nil? ? url_data : file_data end
def url_data
-
(Google::Auth::CredentialsError)- If there's an error retrieving data from the URL
Returns:
-
(Array(String, String))- The response body and URL
def url_data begin response = connection.get @credential_source_url do |req| req.headers.merge! @credential_source_headers end rescue Faraday::Error => e raise CredentialsError, "Error retrieving from credential url: #{e}" end unless response.success? raise CredentialsError, "Unable to retrieve Identity Pool subject token #{response.body}" end [response.body, @credential_source_url] end
def validate_credential_source
-
(Google::Auth::InitializationError)- If credential_source format is invalid, field_name is missing,
def validate_credential_source # `environment_id` is only supported in AWS or dedicated future external account credentials. unless @credential_source[:environment_id].nil? raise InitializationError, "Invalid Identity Pool credential_source field 'environment_id'" end unless ["json", "text"].include? @credential_source_format_type raise InitializationError, "Invalid credential_source format #{@credential_source_format_type}" end # for JSON types, get the required subject_token field name. @credential_source_field_name = @credential_source_format[:subject_token_field_name] if @credential_source_format_type == "json" && @credential_source_field_name.nil? raise InitializationError, "Missing subject_token_field_name for JSON credential_source format" end # check file or url must be fulfilled and mutually exclusiveness. if @credential_source_file && @credential_source_url raise InitializationError, "Ambiguous credential_source. 'file' is mutually exclusive with 'url'." end return unless (@credential_source_file || @credential_source_url).nil? raise InitializationError, "Missing credential_source. A 'file' or 'url' must be provided." end