class Google::Auth::ServiceAccountJwtHeaderCredentials
Authenticates requests using Google’s Service Account credentials via JWT Header.
This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via ‘Generate new Json Key’). It is not part of any OAuth2
flow, rather it creates a JWT and sends that as a credential.
cf [Application Default Credentials](cloud.google.com/docs/authentication/production)
Constants
- AUTH_METADATA_KEY
- EXPIRY
- JWT_AUD_URI_KEY
- SIGNING_ALGORITHM
- TOKEN_CRED_URI
Attributes
Public Class Methods
Create a ServiceAccountJwtHeaderCredentials
.
@param json_key_io [IO] an IO from which the JSON key can be read @param scope [string|array|nil] the scope(s) to access
# File lib/googleauth/service_account.rb, line 155 def self.make_creds options = {} json_key_io, scope = options.values_at :json_key_io, :scope new json_key_io: json_key_io, scope: scope end
Initializes a ServiceAccountJwtHeaderCredentials
.
@param json_key_io [IO] an IO from which the JSON key can be read
# File lib/googleauth/service_account.rb, line 163 def initialize options = {} json_key_io = options[:json_key_io] if json_key_io @private_key, @issuer, @project_id, @quota_project_id, @universe_domain = self.class.read_json_key json_key_io else @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR] @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR] @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR] @quota_project_id = nil @universe_domain = nil end @universe_domain ||= "googleapis.com" @project_id ||= CredentialsLoader.load_gcloud_project_id @signing_key = OpenSSL::PKey::RSA.new @private_key @scope = options[:scope] end
Public Instance Methods
Returns a clone of a_hash updated with the authoriation header
# File lib/googleauth/service_account.rb, line 194 def apply a_hash, opts = {} a_copy = a_hash.clone apply! a_copy, opts a_copy end
Construct a jwt token if the JWT_AUD_URI key is present in the input hash.
The jwt token is used as the value of a ‘Bearer ’.
# File lib/googleauth/service_account.rb, line 185 def apply! a_hash, opts = {} jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY return a_hash if jwt_aud_uri.nil? && @scope.nil? jwt_token = new_jwt_token jwt_aud_uri, opts a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}" a_hash end
Duck-types the corresponding method from BaseClient
# File lib/googleauth/service_account.rb, line 226 def needs_access_token? false end
Creates a jwt uri token.
# File lib/googleauth/service_account.rb, line 207 def new_jwt_token jwt_aud_uri = nil, options = {} now = Time.new skew = options[:skew] || 60 assertion = { "iss" => @issuer, "sub" => @issuer, "exp" => (now + EXPIRY).to_i, "iat" => (now - skew).to_i } jwt_aud_uri = nil if @scope assertion["scope"] = Array(@scope).join " " if @scope assertion["aud"] = jwt_aud_uri if jwt_aud_uri JWT.encode assertion, @signing_key, SIGNING_ALGORITHM end
Returns a reference to the apply
method, suitable for passing as a closure
# File lib/googleauth/service_account.rb, line 202 def updater_proc proc { |a_hash, opts = {}| apply a_hash, opts } end