Class: Google::Auth::ServiceAccountCredentials

Inherits:

Signet::OAuth2::Client

• Object
• Signet::OAuth2::Client
• Google::Auth::ServiceAccountCredentials

Extended by:

CredentialsLoader

Defined in:

lib/googleauth/service_account.rb

Overview

Authenticates requests using Google’s Service Account credentials via an OAuth access token.

This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via ‘Generate new Json Key’).

cf [Application Default Credentials](goo.gl/mkAHpZ)

Constant Summary

TOKEN_CRED_URI =

'https://www.googleapis.com/oauth2/v3/token'

Constants included from CredentialsLoader

CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH

Class Method Summary

• .make_creds(options = {}) ⇒ Object

  Creates a ServiceAccountCredentials.

• .read_json_key(json_key_io) ⇒ Object

  Reads the private key and client email fields from the service account JSON key.

Instance Method Summary

• #apply!(a_hash, opts = {}) ⇒ Object

  Extends the base class.

• #initialize(options = {}) ⇒ ServiceAccountCredentials constructor

  A new instance of ServiceAccountCredentials.

Methods included from CredentialsLoader

from_env, from_system_default_path, from_well_known_path, make_creds, windows?

Methods inherited from Signet::OAuth2::Client

#apply, #fetch_access_token!, #notify_refresh_listeners, #on_refresh, #orig_fetch_access_token!, #updater_proc

Constructor Details

#initialize(options = {}) ⇒ ServiceAccountCredentials

Returns a new instance of ServiceAccountCredentials.

# File 'lib/googleauth/service_account.rb', line 81

def initialize(options = {})
  super(options)
end

Class Method Details

.make_creds(options = {}) ⇒ Object

Creates a ServiceAccountCredentials.

Parameters:

• json_key_io (IO) —

  an IO from which the JSON key can be read

• scope (string|array|nil) —

  the scope(s) to access

# File 'lib/googleauth/service_account.rb', line 56

def self.make_creds(options = {})
  json_key_io, scope = options.values_at(:json_key_io, :scope)
  if json_key_io
    private_key, client_email = read_json_key(json_key_io)
  else
    private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
    client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
  end

  new(token_credential_uri: TOKEN_CRED_URI,
      audience: TOKEN_CRED_URI,
      scope: scope,
      issuer: client_email,
      signing_key: OpenSSL::PKey::RSA.new(private_key))
end

.read_json_key(json_key_io) ⇒ Object

Reads the private key and client email fields from the service account JSON key.

# File 'lib/googleauth/service_account.rb', line 74

def self.read_json_key(json_key_io)
  json_key = MultiJson.load(json_key_io.read)
  fail 'missing client_email' unless json_key.key?('client_email')
  fail 'missing private_key' unless json_key.key?('private_key')
  [json_key['private_key'], json_key['client_email']]
end

Instance Method Details

#apply!(a_hash, opts = {}) ⇒ Object

Extends the base class.

If scope(s) is not set, it creates a transient ServiceAccountJwtHeaderCredentials instance and uses that to authenticate instead.

# File 'lib/googleauth/service_account.rb', line 90

def apply!(a_hash, opts = {})
  # Use the base implementation if scopes are set
  unless scope.nil?
    super
    return
  end

  # Use the ServiceAccountJwtHeaderCredentials using the same cred values
  # if no scopes are set.
  cred_json = {
    private_key: @signing_key.to_s,
    client_email: @issuer
  }
  alt_clz = ServiceAccountJwtHeaderCredentials
  key_io = StringIO.new(MultiJson.dump(cred_json))
  alt = alt_clz.make_creds(json_key_io: key_io)
  alt.apply!(a_hash)
end