class Google::Auth::ServiceAccountJwtHeaderCredentials
cf [Application Default Credentials](cloud.google.com/docs/authentication/production)
flow, rather it creates a JWT and sends that as a credential.
console (via ‘Generate new Json Key’). It is not part of any OAuth2
from credentials from a json key file downloaded from the developer
This class allows authorizing requests for service accounts directly
JWT Header.
Authenticates requests using Google’s Service Account credentials via
def self.make_creds options = {}
-
scope(string|array|nil) -- the scope(s) to access -
json_key_io(IO) -- An IO object containing the JSON key
def self.make_creds options = {} json_key_io, scope = options.values_at :json_key_io, :scope new json_key_io: json_key_io, scope: scope end
def apply a_hash, opts = {}
def apply a_hash, opts = {} a_copy = a_hash.clone apply! a_copy, opts a_copy end
def apply! a_hash, opts = {}
hash.
Construct a jwt token if the JWT_AUD_URI key is present in the input
def apply! a_hash, opts = {} jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY return a_hash if jwt_aud_uri.nil? && @scope.nil? jwt_token = new_jwt_token jwt_aud_uri, opts a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}" logger&.debug do hash = Digest::SHA256.hexdigest jwt_token Google::Logging::Message.from message: "Sending JWT auth token. (sha256:#{hash})" end a_hash end
def deep_hash_normalize old_hash
def deep_hash_normalize old_hash sym_hash = {} old_hash&.each { |k, v| sym_hash[k.to_sym] = recursive_hash_normalize_keys v } sym_hash end
def duplicate options = {}
-
options(Hash) -- Overrides for the credentials parameters.
def duplicate options = {} options = deep_hash_normalize options options = { private_key: @private_key, issuer: @issuer, scope: @scope, project_id: project_id, quota_project_id: quota_project_id, universe_domain: universe_domain, logger: logger }.merge(options) self.class.new options end
def initialize options = {}
-
json_key_io(IO) -- An IO object containing the JSON key
def initialize options = {} json_key_io = options[:json_key_io] if json_key_io @private_key, @issuer, @project_id, @quota_project_id, @universe_domain = self.class.read_json_key json_key_io else @private_key = options.key?(:private_key) ? options[:private_key] : ENV[CredentialsLoader::PRIVATE_KEY_VAR] @issuer = options.key?(:issuer) ? options[:issuer] : ENV[CredentialsLoader::CLIENT_EMAIL_VAR] @project_id = options.key?(:project_id) ? options[:project_id] : ENV[CredentialsLoader::PROJECT_ID_VAR] @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id @universe_domain = options[:universe_domain] if options.key? :universe_domain end @universe_domain ||= "googleapis.com" @project_id ||= CredentialsLoader.load_gcloud_project_id @signing_key = OpenSSL::PKey::RSA.new @private_key @scope = options[:scope] if options.key? :scope @logger = options[:logger] if options.key? :logger end
def needs_access_token?
def needs_access_token? false end
def new_jwt_token jwt_aud_uri = nil, options = {}
def new_jwt_token jwt_aud_uri = nil, options = {} now = Time.new skew = options[:skew] || 60 assertion = { "iss" => @issuer, "sub" => @issuer, "exp" => (now + EXPIRY).to_i, "iat" => (now - skew).to_i } jwt_aud_uri = nil if @scope assertion["scope"] = Array(@scope).join " " if @scope assertion["aud"] = jwt_aud_uri if jwt_aud_uri logger&.debug do Google::Logging::Message.from message: "JWT assertion: #{assertion}" end JWT.encode assertion, @signing_key, SIGNING_ALGORITHM end
def principal
-
(String)- the email address of the service account
Other tags:
- Private: -
def principal @issuer end
def recursive_hash_normalize_keys val
def recursive_hash_normalize_keys val if val.is_a? Hash deep_hash_normalize val else val end end
def updater_proc
Returns a reference to the #apply method, suitable for passing as
def updater_proc proc { |a_hash, opts = {}| apply a_hash, opts } end