Class: Google::Auth::ServiceAccountJwtHeaderCredentials

Inherits:

Object

• Object
• Google::Auth::ServiceAccountJwtHeaderCredentials

Extended by:

CredentialsLoader, JsonKeyReader

Defined in:

lib/googleauth/service_account.rb

Overview

Authenticates requests using Google’s Service Account credentials via JWT Header.

This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via ‘Generate new Json Key’). It is not part of any OAuth2 flow, rather it creates a JWT and sends that as a credential.

cf [Application Default Credentials](cloud.google.com/docs/authentication/production)

Constant Summary

JWT_AUD_URI_KEY =

:jwt_aud_uri

AUTH_METADATA_KEY =

Signet::OAuth2::AUTH_METADATA_KEY

TOKEN_CRED_URI =

"https://www.googleapis.com/oauth2/v4/token".freeze

SIGNING_ALGORITHM =

"RS256".freeze

EXPIRY =

60

Constants included from CredentialsLoader

CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CLOUD_SDK_CREDENTIALS_WARNING, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::GCLOUD_CONFIG_COMMAND, CredentialsLoader::GCLOUD_POSIX_COMMAND, CredentialsLoader::GCLOUD_WINDOWS_COMMAND, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::PROJECT_ID_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH

Instance Attribute Summary

• #project_id ⇒ Object readonly

  Returns the value of attribute project_id.

• #quota_project_id ⇒ Object readonly

  Returns the value of attribute quota_project_id.

Class Method Summary

• .make_creds(*args) ⇒ Object

  make_creds proxies the construction of a credentials instance.

Instance Method Summary

• #apply(a_hash, opts = {}) ⇒ Object

  Returns a clone of a_hash updated with the authoriation header.

• #apply!(a_hash, opts = {}) ⇒ Object

  Construct a jwt token if the JWT_AUD_URI key is present in the input hash.

• #initialize(options = {}) ⇒ ServiceAccountJwtHeaderCredentials constructor

  Initializes a ServiceAccountJwtHeaderCredentials.

• #updater_proc ⇒ Object

  Returns a reference to the #apply method, suitable for passing as a closure.

Methods included from CredentialsLoader

from_env, from_system_default_path, from_well_known_path, load_gcloud_project_id, make_creds, warn_if_cloud_sdk_credentials

Methods included from JsonKeyReader

read_json_key

Constructor Details

#initialize(options = {}) ⇒ ServiceAccountJwtHeaderCredentials

Initializes a ServiceAccountJwtHeaderCredentials.

Parameters:

• json_key_io (IO) —

  an IO from which the JSON key can be read

# File 'lib/googleauth/service_account.rb', line 169

def initialize options = {}
  json_key_io = options[:json_key_io]
  if json_key_io
    @private_key, @issuer, @project_id, @quota_project_id =
      self.class.read_json_key json_key_io
  else
    @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
    @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
    @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
    @quota_project_id = nil
  end
  @project_id ||= CredentialsLoader.load_gcloud_project_id
  @signing_key = OpenSSL::PKey::RSA.new @private_key
end

Instance Attribute Details

#project_id ⇒ Object (readonly)

Returns the value of attribute project_id.

# File 'lib/googleauth/service_account.rb', line 152

def project_id
  @project_id
end

#quota_project_id ⇒ Object (readonly)

Returns the value of attribute quota_project_id.

# File 'lib/googleauth/service_account.rb', line 153

def quota_project_id
  @quota_project_id
end

Class Method Details

.make_creds(*args) ⇒ Object

make_creds proxies the construction of a credentials instance

make_creds is used by the methods in CredentialsLoader.

By default, it calls #new with 2 args, the second one being an optional scope. Here’s the constructor only has one param, so we modify make_creds to reflect this.

# File 'lib/googleauth/service_account.rb', line 162

def self.make_creds *args
  new json_key_io: args[0][:json_key_io]
end

Instance Method Details

#apply(a_hash, opts = {}) ⇒ Object

Returns a clone of a_hash updated with the authoriation header

# File 'lib/googleauth/service_account.rb', line 197

def apply a_hash, opts = {}
  a_copy = a_hash.clone
  apply! a_copy, opts
  a_copy
end

#apply!(a_hash, opts = {}) ⇒ Object

Construct a jwt token if the JWT_AUD_URI key is present in the input hash.

The jwt token is used as the value of a ‘Bearer ’.

# File 'lib/googleauth/service_account.rb', line 188

def apply! a_hash, opts = {}
  jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY
  return a_hash if jwt_aud_uri.nil?
  jwt_token = new_jwt_token jwt_aud_uri, opts
  a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
  a_hash
end

#updater_proc ⇒ Object

Returns a reference to the #apply method, suitable for passing as a closure

# File 'lib/googleauth/service_account.rb', line 205

def updater_proc
  proc { |a_hash, opts = {}| apply a_hash, opts }
end