Class: Google::Auth::ServiceAccountCredentials

Inherits:
Signet::OAuth2::Client show all
Extended by:
CredentialsLoader, JsonKeyReader
Defined in:
lib/googleauth/service_account.rb

Overview

Authenticates requests using Google's Service Account credentials via an OAuth access token.

This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via 'Generate new Json Key').

cf [Application Default Credentials](goo.gl/mkAHpZ)

Constant Summary collapse

TOKEN_CRED_URI =
'https://www.googleapis.com/oauth2/v4/token'.freeze

Constants included from CredentialsLoader

CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CLOUD_SDK_CREDENTIALS_WARNING, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH

Class Method Summary collapse

Instance Method Summary collapse

Methods included from JsonKeyReader

read_json_key

Methods included from CredentialsLoader

from_env, from_system_default_path, from_well_known_path, make_creds, warn_if_cloud_sdk_credentials

Methods inherited from Signet::OAuth2::Client

#apply, #fetch_access_token!, #notify_refresh_listeners, #on_refresh, #orig_fetch_access_token!, #retry_with_error, #updater_proc

Constructor Details

#initialize(options = {}) ⇒ ServiceAccountCredentials

Returns a new instance of ServiceAccountCredentials.


83
84
85
# File 'lib/googleauth/service_account.rb', line 83

def initialize(options = {})
  super(options)
end

Class Method Details

.make_creds(options = {}) ⇒ Object

Creates a ServiceAccountCredentials.

Parameters:

  • json_key_io (IO)

    an IO from which the JSON key can be read

  • scope (string|array|nil)

    the scope(s) to access


58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# File 'lib/googleauth/service_account.rb', line 58

def self.make_creds(options = {})
  json_key_io, scope = options.values_at(:json_key_io, :scope)
  if json_key_io
    private_key, client_email = read_json_key(json_key_io)
  else
    private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
    client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
  end

  new(token_credential_uri: TOKEN_CRED_URI,
      audience: TOKEN_CRED_URI,
      scope: scope,
      issuer: client_email,
      signing_key: OpenSSL::PKey::RSA.new(private_key))
end

.unescape(str) ⇒ Object

Handles certain escape sequences that sometimes appear in input. Specifically, interprets the ā€œnā€ sequence for newline, and removes enclosing quotes.


77
78
79
80
81
# File 'lib/googleauth/service_account.rb', line 77

def self.unescape(str)
  str = str.gsub '\n', "\n"
  str = str[1..-2] if str.start_with?('"') && str.end_with?('"')
  str
end

Instance Method Details

#apply!(a_hash, opts = {}) ⇒ Object

Extends the base class.

If scope(s) is not set, it creates a transient ServiceAccountJwtHeaderCredentials instance and uses that to authenticate instead.


92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# File 'lib/googleauth/service_account.rb', line 92

def apply!(a_hash, opts = {})
  # Use the base implementation if scopes are set
  unless scope.nil?
    super
    return
  end

  # Use the ServiceAccountJwtHeaderCredentials using the same cred values
  # if no scopes are set.
  cred_json = {
    private_key: @signing_key.to_s,
    client_email: @issuer
  }
  alt_clz = ServiceAccountJwtHeaderCredentials
  key_io = StringIO.new(MultiJson.dump(cred_json))
  alt = alt_clz.make_creds(json_key_io: key_io)
  alt.apply!(a_hash)
end