Class: Google::Auth::Extras::ServiceAccountJWTCredential

Inherits:

Signet::OAuth2::Client

• Object
• Signet::OAuth2::Client
• Google::Auth::Extras::ServiceAccountJWTCredential

Includes:

IdentityCredentialRefreshPatch

Defined in:

lib/google/auth/extras/service_account_jwt_credential.rb

Overview

This credential issues JWTs signed a service account.

Instance Method Summary

• #fetch_access_token ⇒ Object
• #initialize(email_address:, target_audience:, base_credentials: nil, delegate_email_addresses: nil, issuer: nil, lifetime: 3600, subject: nil) ⇒ ServiceAccountJWTCredential constructor

  A credential that obtains a signed JWT from Google for a service account.

• #inspect ⇒ Object

Methods included from IdentityCredentialRefreshPatch

#update_token!

Constructor Details

#initialize(email_address:, target_audience:, base_credentials: nil, delegate_email_addresses: nil, issuer: nil, lifetime: 3600, subject: nil) ⇒ ServiceAccountJWTCredential

A credential that obtains a signed JWT from Google for a service account.

See Also:

• https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt
• https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions

# File 'lib/google/auth/extras/service_account_jwt_credential.rb', line 40

def initialize(
  email_address:,
  target_audience:,
  base_credentials: nil,
  delegate_email_addresses: nil,
  issuer: nil,
  lifetime: 3600,
  subject: nil
)
  super(client_id: target_audience, target_audience: target_audience)

  @iam_credentials_service = Google::Apis::IamcredentialsV1::IAMCredentialsService.new.tap do |ics|
    ics.authorization = base_credentials if base_credentials
  end

  @jwt_issuer = issuer || email_address
  @jwt_lifetime = lifetime
  @jwt_subject = subject || email_address

  @sa_delegates = Array(delegate_email_addresses).map do |email|
    transform_email_to_name(email)
  end

  @sa_name = transform_email_to_name(email_address)
end

Instance Method Details

#fetch_access_token ⇒ Object

# File 'lib/google/auth/extras/service_account_jwt_credential.rb', line 66

def fetch_access_token(*)
  now = Time.now.to_i

  request = Google::Apis::IamcredentialsV1::SignJwtRequest.new(
    payload: JSON.dump(
      aud: target_audience,
      exp: now + @jwt_lifetime,
      iat: now,
      iss: @jwt_issuer,
      sub: @jwt_subject,
    ),
  )

  # The Google SDK doesn't like nil repeated values, but be careful with others as well.
  request.delegates = @sa_delegates unless @sa_delegates.empty?

  response = @iam_credentials_service.sign_service_account_jwt(@sa_name, request)

  {
    id_token: response.signed_jwt,
  }
end

#inspect ⇒ Object

# File 'lib/google/auth/extras/service_account_jwt_credential.rb', line 89

def inspect
  "#<#{self.class.name}" \
    " @expires_at=#{expires_at.inspect}" \
    " @id_token=#{@id_token ? '[REDACTED]' : 'nil'}" \
    " @jwt_issuer=#{@jwt_issuer.inspect}" \
    " @jwt_lifetime=#{@jwt_lifetime.inspect}" \
    " @jwt_subject=#{@jwt_subject.inspect}" \
    " @sa_delegates=#{@sa_delegates.inspect}" \
    " @sa_name=#{@sa_name.inspect}" \
    " @target_audience=#{@target_audience.inspect}" \
    '>'
end