Class: Google::Auth::ServiceAccountCredentials

Inherits:

Signet::OAuth2::Client

• Object
• Signet::OAuth2::Client
• Google::Auth::ServiceAccountCredentials

Extended by:

CredentialsLoader

Defined in:

lib/googleauth/service_account.rb

Overview

Authenticates requests using Google’s Service Account credentials via an OAuth access token.

This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via ‘Generate new Json Key’).

cf [Application Default Credentials](goo.gl/mkAHpZ)

Constant Summary

TOKEN_CRED_URI =

'https://www.googleapis.com/oauth2/v3/token'

Constants included from CredentialsLoader

CredentialsLoader::ENV_VAR, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH

Class Method Summary

• .read_json_key(json_key_io) ⇒ Object

  Reads the private key and client email fields from the service account JSON key.

Instance Method Summary

• #apply!(a_hash, opts = {}) ⇒ Object

  Extends the base class.

• #initialize(json_key_io, scope = nil) ⇒ ServiceAccountCredentials constructor

  Initializes a ServiceAccountCredentials.

Methods included from CredentialsLoader

from_env, from_well_known_path, make_creds, windows?

Methods inherited from Signet::OAuth2::Client

#apply, #updater_proc

Constructor Details

#initialize(json_key_io, scope = nil) ⇒ ServiceAccountCredentials

Initializes a ServiceAccountCredentials.

Parameters:

• json_key_io (IO) —

  an IO from which the JSON key can be read

• scope (string|array|nil) (defaults to: nil) —

  the scope(s) to access

# File 'lib/googleauth/service_account.rb', line 65

def initialize(json_key_io, scope = nil)
  private_key, client_email = self.class.read_json_key(json_key_io)
  super(token_credential_uri: TOKEN_CRED_URI,
        audience: TOKEN_CRED_URI,
        scope: scope,
        issuer: client_email,
        signing_key: OpenSSL::PKey::RSA.new(private_key))
end

Class Method Details

.read_json_key(json_key_io) ⇒ Object

Reads the private key and client email fields from the service account JSON key.

# File 'lib/googleauth/service_account.rb', line 54

def self.read_json_key(json_key_io)
  json_key = MultiJson.load(json_key_io.read)
  fail 'missing client_email' unless json_key.key?('client_email')
  fail 'missing private_key' unless json_key.key?('private_key')
  [json_key['private_key'], json_key['client_email']]
end

Instance Method Details

#apply!(a_hash, opts = {}) ⇒ Object

Extends the base class.

If scope(s) is not set, it creates a transient ServiceAccountJwtHeaderCredentials instance and uses that to authenticate instead.

# File 'lib/googleauth/service_account.rb', line 79

def apply!(a_hash, opts = {})
  # Use the base implementation if scopes are set
  unless scope.nil?
    super
    return
  end

  # Use the ServiceAccountJwtHeaderCredentials using the same cred values
  # if no scopes are set.
  cred_json = {
    private_key: @signing_key.to_s,
    client_email: @issuer
  }
  alt_clz = ServiceAccountJwtHeaderCredentials
  alt = alt_clz.new(StringIO.new(MultiJson.dump(cred_json)))
  alt.apply!(a_hash)
end