Module: Google::Auth::Extras

Extended by:
Extras
Included in:
Extras
Defined in:
lib/google/auth/extras.rb,
lib/google/auth/extras/version.rb,
lib/google/auth/extras/token_info.rb,
lib/google/auth/extras/static_credential.rb,
lib/google/auth/extras/impersonated_credential.rb,
lib/google/auth/extras/service_account_jwt_credential.rb,
lib/google/auth/extras/identity_credential_refresh_patch.rb

Overview

This module provides some extra features not supported in the normal googleauth gem.

Defined Under Namespace

Modules: IdentityCredentialRefreshPatch, TokenInfo Classes: ImpersonatedCredential, RefreshNotSupported, ServiceAccountJWTCredential, StaticCredential

Constant Summary collapse

VERSION = 
'0.5.0'

Instance Method Summary collapse

Instance Method Details

#impersonated_authorization(email_address:, base_credentials: nil, delegate_email_addresses: nil, include_email: nil, lifetime: nil, quota_project_id: nil, scope: nil, target_audience: nil) ⇒ Google::Auth::Extras::ImpersonatedCredential

A credential that impersonates a service account. For usage with the older style GCP Ruby SDKs from the google-apis-* gems.

The ‘email_address` of the service account to impersonate may be the exact same as the one represented in `base_credentials` for any desired situation but a handy usage is for going from and access token to an ID token (aka using `target_audience`).

Parameters:

  • base_credentials (Hash, String, Signet::OAuth2::Client) (defaults to: nil)

    Credentials to use to impersonate the provided email address.

  • delegate_email_addresses (String, Array<String>) (defaults to: nil)

    The list of email address if there are intermediate service accounts that need to be impersonated using delegation.

  • email_address (String)

    Email of the service account to impersonate.

  • include_email (Boolean) (defaults to: nil)

    Include the service account email in the token. If set to true, the token will contain email and email_verified claims. Only supported when using a target_audience.

  • lifetime (String) (defaults to: nil)

    The desired lifetime (in seconds) of the token before needing to be refreshed. Defaults to 1h, adjust as needed given a refresh is automatically performed when the token less than 60s of remaining life and refresh requires an additional API call. Only supported when not using a target_audience.

  • quota_project_id (String) (defaults to: nil)

    The project ID used for quota and billing. This project may be different from the project used to create the credentials.

  • scope (String, Array<String>) (defaults to: nil)

    The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array. Only supported when not using a target_audience.

Returns:

See Also:



69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
 
# File 'lib/google/auth/extras.rb', line 69

def impersonated_authorization(
  email_address:,
  base_credentials: nil,
  delegate_email_addresses: nil,
  include_email: nil,
  lifetime: nil,
  quota_project_id: nil,
  scope: nil,
  target_audience: nil
)
  ImpersonatedCredential.new(
    base_credentials: base_credentials,
    delegate_email_addresses: delegate_email_addresses,
    email_address: email_address,
    include_email: include_email,
    lifetime: lifetime,
    quota_project_id: quota_project_id,
    scope: scope,
    target_audience: target_audience,
  )
end

#impersonated_credential(email_address:, base_credentials: nil, delegate_email_addresses: nil, include_email: nil, lifetime: nil, quota_project_id: nil, scope: nil, target_audience: nil) ⇒ Google::Auth::Credential<Google::Auth::Extras::ImpersonatedCredential>

A credential that impersonates a service account. For usage with the newer style GCP Ruby SDKs from the google-cloud-* gems.

Parameters:

  • base_credentials (Hash, String, Signet::OAuth2::Client) (defaults to: nil)

    Credentials to use to impersonate the provided email address.

  • delegate_email_addresses (String, Array<String>) (defaults to: nil)

    The list of email address if there are intermediate service accounts that need to be impersonated using delegation.

  • email_address (String)

    Email of the service account to impersonate.

  • include_email (Boolean) (defaults to: nil)

    Include the service account email in the token. If set to true, the token will contain email and email_verified claims. Only supported when using a target_audience.

  • lifetime (String) (defaults to: nil)

    The desired lifetime (in seconds) of the token before needing to be refreshed. Defaults to 1h, adjust as needed given a refresh is automatically performed when the token less than 60s of remaining life and refresh requires an additional API call. Only supported when not using a target_audience.

  • quota_project_id (String) (defaults to: nil)

    The project ID used for quota and billing. This project may be different from the project used to create the credentials.

  • scope (String, Array<String>) (defaults to: nil)

    The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array. Only supported when not using a target_audience.

Returns:

See Also:



131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
 
# File 'lib/google/auth/extras.rb', line 131

def impersonated_credential(
  email_address:,
  base_credentials: nil,
  delegate_email_addresses: nil,
  include_email: nil,
  lifetime: nil,
  quota_project_id: nil,
  scope: nil,
  target_audience: nil
)
  wrap_authorization(
    impersonated_authorization(
      base_credentials: base_credentials,
      delegate_email_addresses: delegate_email_addresses,
      email_address: email_address,
      include_email: include_email,
      lifetime: lifetime,
      quota_project_id: quota_project_id,
      scope: scope,
      target_audience: target_audience,
    ),
  )
end

#service_account_jwt_authorization(email_address:, target_audience:, base_credentials: nil, delegate_email_addresses: nil, issuer: nil, lifetime: 3600, subject: nil) ⇒ Google::Auth::Extras::ServiceAccountJWTCredential

A credential that obtains a signed JWT from Google for a service account. For usage with the older style GCP Ruby SDKs from the google-apis-* gems. Also useful for calling IAP-protected endpoints using the Google-managed OAuth client.

Parameters:

  • base_credentials (Hash, String, Signet::OAuth2::Client) (defaults to: nil)

    Credentials to use to sign the JWTs.

  • delegate_email_addresses (String, Array<String>) (defaults to: nil)

    The email addresses (if any) of intermediate service accounts to reach the email_address from base_credentials.

  • email_address (String)

    Email of the service account to sign the JWT.

  • issuer (String) (defaults to: nil)

    The desired value of the iss field on the issued JWT. Defaults to the email_address.

  • lifetime (Integers) (defaults to: 3600)

    The desired lifetime (in seconds) of the JWT before needing to be refreshed. Defaults to 3600 (1h), adjust as needed given a refresh is automatically performed when the token less than 60s of remaining life and refresh requires an additional API call.

  • subject (String) (defaults to: nil)

    The desired value of the sub field on the issued JWT. Defaults to the email_address.

  • target_audience (String)

    The audience for the token, such as the API or account that this token grants access to.

Returns:

See Also:



190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
 
# File 'lib/google/auth/extras.rb', line 190

def (
  email_address:,
  target_audience:,
  base_credentials: nil,
  delegate_email_addresses: nil,
  issuer: nil,
  lifetime: 3600,
  subject: nil
)
  ServiceAccountJWTCredential.new(
    base_credentials: base_credentials,
    delegate_email_addresses: delegate_email_addresses,
    email_address: email_address,
    issuer: issuer,
    lifetime: lifetime,
    subject: subject,
    target_audience: target_audience,
  )
end

#service_account_jwt_credential(email_address:, target_audience:, base_credentials: nil, delegate_email_addresses: nil, issuer: nil, lifetime: 3600, subject: nil) ⇒ Google::Auth::Extras::ServiceAccountJWTCredential

A credential that obtains a signed JWT from Google for a service account. For usage with the newer style GCP Ruby SDKs from the google-cloud-* gems.

Parameters:

  • base_credentials (Hash, String, Signet::OAuth2::Client) (defaults to: nil)

    Credentials to use to sign the JWTs.

  • delegate_email_addresses (String, Array<String>) (defaults to: nil)

    The email addresses (if any) of intermediate service accounts to reach the email_address from base_credentials.

  • email_address (String)

    Email of the service account to sign the JWT.

  • issuer (String) (defaults to: nil)

    The desired value of the iss field on the issued JWT. Defaults to the email_address.

  • lifetime (Integers) (defaults to: 3600)

    The desired lifetime (in seconds) of the JWT before needing to be refreshed. Defaults to 3600 (1h), adjust as needed given a refresh is automatically performed when the token less than 60s of remaining life and refresh requires an additional API call.

  • subject (String) (defaults to: nil)

    The desired value of the sub field on the issued JWT. Defaults to the email_address.

  • target_audience (String)

    The audience for the token, such as the API or account that this token grants access to.

Returns:

See Also:



243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
 
# File 'lib/google/auth/extras.rb', line 243

def (
  email_address:,
  target_audience:,
  base_credentials: nil,
  delegate_email_addresses: nil,
  issuer: nil,
  lifetime: 3600,
  subject: nil
)
  wrap_authorization(
    (
      base_credentials: base_credentials,
      delegate_email_addresses: delegate_email_addresses,
      email_address: email_address,
      issuer: issuer,
      lifetime: lifetime,
      subject: subject,
      target_audience: target_audience,
    ),
  )
end

#static_authorization(token, quota_project_id: nil) ⇒ Google::Auth::Extras::StaticCredential

A credential using a static access token. For usage with the older style GCP Ruby SDKs from the google-apis-* gems.

Parameters:

  • token (String)

    The access token to use.

  • quota_project_id (String) (defaults to: nil)

    The project ID used for quota and billing. This project may be different from the project used to create the credentials.

Returns:



278
279
280
 
# File 'lib/google/auth/extras.rb', line 278

def static_authorization(token, quota_project_id: nil)
  StaticCredential.new(access_token: token, quota_project_id: quota_project_id)
end

#static_credential(token, quota_project_id: nil) ⇒ Google::Auth::Credential<Google::Auth::Extras::StaticCredential>

A credential using a static access token. For usage with the newer style GCP Ruby SDKs from the google-cloud-* gems.

Parameters:

  • token (String)

    The access token to use.

  • quota_project_id (String) (defaults to: nil)

    The project ID used for quota and billing. This project may be different from the project used to create the credentials.

Returns:



294
295
296
 
# File 'lib/google/auth/extras.rb', line 294

def static_credential(token, quota_project_id: nil)
  wrap_authorization(static_authorization(token, quota_project_id: quota_project_id))
end

#wrap_authorization(client) ⇒ Google::Auth::Credential

Take an authorization and turn it into a credential, primarily used for setting up both the old and new style SDKs.

Parameters:

  • client (Signet::OAuth2::Client)

    Authorization credential to wrap.

Returns:

  • (Google::Auth::Credential) 


306
307
308
 
# File 'lib/google/auth/extras.rb', line 306

def wrap_authorization(client)
  ::Google::Auth::Credentials.new(client)
end