class Google::Auth::ServiceAccountJwtHeaderCredentials

cf [Application Default Credentials](cloud.google.com/docs/authentication/production)
flow, rather it creates a JWT and sends that as a credential.
console (via ‘Generate new Json Key’). It is not part of any OAuth2
from credentials from a json key file downloaded from the developer
This class allows authorizing requests for service accounts directly
JWT Header.
Authenticates requests using Google’s Service Account credentials via

def self.make_creds options = {}

Parameters:
  • scope (string|array|nil) -- the scope(s) to access
  • json_key_io (IO) -- an IO from which the JSON key can be read 
def self.make_creds options = {}
  json_key_io, scope = options.values_at :json_key_io, :scope
  new json_key_io: json_key_io, scope: scope
end

def apply a_hash, opts = {}

Returns a clone of a_hash updated with the authoriation header 
def apply a_hash, opts = {}
  a_copy = a_hash.clone
  apply! a_copy, opts
  a_copy
end

def apply! a_hash, opts = {}

The jwt token is used as the value of a 'Bearer '.

hash.
Construct a jwt token if the JWT_AUD_URI key is present in the input 
def apply! a_hash, opts = {}
  jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY
  return a_hash if jwt_aud_uri.nil? && @scope.nil?
  jwt_token = new_jwt_token jwt_aud_uri, opts
  a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
  a_hash
end

def initialize options = {}

Parameters:
  • json_key_io (IO) -- an IO from which the JSON key can be read 
def initialize options = {}
  json_key_io = options[:json_key_io]
  if json_key_io
    @private_key, @issuer, @project_id, @quota_project_id, @universe_domain =
      self.class.read_json_key json_key_io
  else
    @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
    @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
    @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
    @quota_project_id = nil
    @universe_domain = nil
  end
  @universe_domain ||= "googleapis.com"
  @project_id ||= CredentialsLoader.load_gcloud_project_id
  @signing_key = OpenSSL::PKey::RSA.new @private_key
  @scope = options[:scope]
end

def needs_access_token?

Duck-types the corresponding method from BaseClient 
def needs_access_token?
  false
end

def new_jwt_token jwt_aud_uri = nil, options = {}

Creates a jwt uri token. 
def new_jwt_token jwt_aud_uri = nil, options = {}
  now = Time.new
  skew = options[:skew] || 60
  assertion = {
    "iss" => @issuer,
    "sub" => @issuer,
    "exp" => (now + EXPIRY).to_i,
    "iat" => (now - skew).to_i
  }
  jwt_aud_uri = nil if @scope
  assertion["scope"] = Array(@scope).join " " if @scope
  assertion["aud"] = jwt_aud_uri if jwt_aud_uri
  JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
end

def updater_proc

a closure
Returns a reference to the #apply method, suitable for passing as 
def updater_proc
  proc { |a_hash, opts = {}| apply a_hash, opts }
end