Class: Google::Auth::DefaultCredentials

Inherits:

Object

Object
Google::Auth::DefaultCredentials

show all

Extended by:: CredentialsLoader

Defined in:: lib/googleauth/default_credentials.rb

Overview

DefaultCredentials is used to preload the credentials file, to determine which type of credentials should be loaded.

Constant Summary

Constants included from CredentialsLoader

Class Method Summary collapse

.determine_creds_class(json_key_io = nil) ⇒ Array(Hash, Class)
Reads the input json and determines which creds class to use.
.make_creds(options = {}) ⇒ Google::Auth::Credentials deprecated
Deprecated.
This method is deprecated and will be removed in a future version. Please use the make_creds method on the specific credential class you intend to load, e.g., Google::Auth::ServiceAccountCredentials.make_creds.

This method does not validate the credential configuration. The security risk occurs when a credential configuration is accepted from a source that is not under your control and used without validation on your side.

If you know that you will be loading credential configurations of a specific type, it is recommended to use a credential-type-specific make_creds method. This will ensure that an unexpected credential type with potential for malicious intent is not loaded unintentionally. You might still have to do validation for certain credential types. Please follow the recommendation for that method. For example, if you want to load only service accounts, you can use:
```
creds = Google::Auth::ServiceAccountCredentials.make_creds
```
@see Google::Auth::ServiceAccountCredentials.make_creds

If you are loading your credential configuration from an untrusted source and have not mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon as possible to prevent security risks to your environment.

Regardless of the method used, it is always your responsibility to validate configurations received from external sources.

See https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.

Methods included from CredentialsLoader

from_env, from_system_default_path, from_well_known_path, load_gcloud_project_id, make_creds

Class Method Details

.determine_creds_class(json_key_io = nil) ⇒ `Array(Hash, Class)`

Reads the input json and determines which creds class to use.

Parameters:

json_key_io (IO, nil) (defaults to: nil) —
An optional IO object containing the JSON key. If nil, the credential type is determined from environment variables.

Returns:

(Array(Hash, Class)) —
The JSON key (or nil if from environment) and the credential class to use

Raises:

(Google::Auth::InitializationError) —
If the JSON is missing the type field or has an unsupported type, or if the environment variable is undefined or unsupported.

# File 'lib/googleauth/default_credentials.rb', line 98

def self.determine_creds_class json_key_io = nil
  if json_key_io
    json_key = MultiJson.load json_key_io.read
    key = "type"
    raise InitializationError, "the json is missing the '#{key}' field" unless json_key.key? key
    type = json_key[key]
  else
    env_var = CredentialsLoader::ACCOUNT_TYPE_VAR
    type = ENV[env_var]
    raise InitializationError, "#{env_var} is undefined in env" unless type
    json_key = nil
  end

  clz = case type
        when ServiceAccountCredentials::CREDENTIAL_TYPE_NAME
          ServiceAccountCredentials
        when UserRefreshCredentials::CREDENTIAL_TYPE_NAME
          UserRefreshCredentials
        when ExternalAccount::Credentials::CREDENTIAL_TYPE_NAME
          ExternalAccount::Credentials
        when ImpersonatedServiceAccountCredentials::CREDENTIAL_TYPE_NAME
          ImpersonatedServiceAccountCredentials
        else
          raise InitializationError, "credentials type '#{type}' is not supported"
        end
  [json_key, clz]
end

.make_creds(options = {}) ⇒ `Google::Auth::Credentials`

Deprecated.

This method is deprecated and will be removed in a future version. Please use the make_creds method on the specific credential class you intend to load, e.g., Google::Auth::ServiceAccountCredentials.make_creds.

This method does not validate the credential configuration. The security risk occurs when a credential configuration is accepted from a source that is not under your control and used without validation on your side.

If you know that you will be loading credential configurations of a specific type, it is recommended to use a credential-type-specific make_creds method. This will ensure that an unexpected credential type with potential for malicious intent is not loaded unintentionally. You might still have to do validation for certain credential types. Please follow the recommendation for that method. For example, if you want to load only service accounts, you can use:

creds = Google::Auth::ServiceAccountCredentials.make_creds

@see Google::Auth::ServiceAccountCredentials.make_creds

If you are loading your credential configuration from an untrusted source and have not mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon as possible to prevent security risks to your environment.

Regardless of the method used, it is always your responsibility to validate configurations received from external sources.

See https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.

Override CredentialsLoader#make_creds to use the class determined by loading the json.

Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to Validate credential configurations from external sources.