class Google::Auth::ExternalAccount::Credentials

Provides an entrypoint for all Exernal Account credential classes.

Constants

AWS_SUBJECT_TOKEN_TYPE

The subject token type used for AWS external_account credentials.

INVALID_EXTERNAL_ACCOUNT_TYPE
MISSING_CREDENTIAL_SOURCE

Public Class Methods

make_creds(options = {}) click to toggle source

Create a ExternalAccount::Credentials

@param json_key_io [IO] an IO from which the JSON key can be read @param scope [String,Array,nil] the scope(s) to access

# File lib/googleauth/external_account.rb, line 40
def self.make_creds options = {}
  json_key_io, scope = options.values_at :json_key_io, :scope

  raise "A json file is required for external account credentials." unless json_key_io
  user_creds = read_json_key json_key_io

  # AWS credentials is determined by aws subject token type
  return make_aws_credentials user_creds, scope if user_creds[:subject_token_type] == AWS_SUBJECT_TOKEN_TYPE

  raise MISSING_CREDENTIAL_SOURCE if user_creds[:credential_source].nil?
  user_creds[:scope] = scope
  make_external_account_credentials user_creds
end
read_json_key(json_key_io) click to toggle source

Reads the required fields from the JSON.

# File lib/googleauth/external_account.rb, line 55
def self.read_json_key json_key_io
  json_key = MultiJson.load json_key_io.read, symbolize_keys: true
  wanted = [
    :audience, :subject_token_type, :token_url, :credential_source
  ]
  wanted.each do |key|
    raise "the json is missing the #{key} field" unless json_key.key? key
  end
  json_key
end

Private Class Methods

make_aws_credentials(user_creds, scope) click to toggle source
# File lib/googleauth/external_account.rb, line 69
def make_aws_credentials user_creds, scope
  Google::Auth::ExternalAccount::AwsCredentials.new(
    audience: user_creds[:audience],
    scope: scope,
    subject_token_type: user_creds[:subject_token_type],
    token_url: user_creds[:token_url],
    credential_source: user_creds[:credential_source],
    service_account_impersonation_url: user_creds[:service_account_impersonation_url],
    universe_domain: user_creds[:universe_domain]
  )
end
make_external_account_credentials(user_creds) click to toggle source
# File lib/googleauth/external_account.rb, line 81
def make_external_account_credentials user_creds
  unless user_creds[:credential_source][:file].nil? && user_creds[:credential_source][:url].nil?
    return Google::Auth::ExternalAccount::IdentityPoolCredentials.new user_creds
  end
  unless user_creds[:credential_source][:executable].nil?
    return Google::Auth::ExternalAccount::PluggableAuthCredentials.new user_creds
  end
  raise INVALID_EXTERNAL_ACCOUNT_TYPE
end