class Google::Auth::ServiceAccountJwtHeaderCredentials

Authenticates requests using Google’s Service Account credentials via JWT Header.

This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via ‘Generate new Json Key’). It is not part of any OAuth2 flow, rather it creates a JWT and sends that as a credential.

cf [Application Default Credentials](cloud.google.com/docs/authentication/production)

Constants

AUTH_METADATA_KEY
EXPIRY
JWT_AUD_URI_KEY
SIGNING_ALGORITHM
TOKEN_CRED_URI

Attributes

project_id[R]
quota_project_id[R]
universe_domain[RW]

Public Class Methods

make_creds(options = {}) click to toggle source

Create a ServiceAccountJwtHeaderCredentials.

@param json_key_io [IO] an IO from which the JSON key can be read @param scope [string|array|nil] the scope(s) to access

# File lib/googleauth/service_account.rb, line 155
def self.make_creds options = {}
  json_key_io, scope = options.values_at :json_key_io, :scope
  new json_key_io: json_key_io, scope: scope
end
new(options = {}) click to toggle source

Initializes a ServiceAccountJwtHeaderCredentials.

@param json_key_io [IO] an IO from which the JSON key can be read

# File lib/googleauth/service_account.rb, line 163
def initialize options = {}
  json_key_io = options[:json_key_io]
  if json_key_io
    @private_key, @issuer, @project_id, @quota_project_id, @universe_domain =
      self.class.read_json_key json_key_io
  else
    @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
    @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
    @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
    @quota_project_id = nil
    @universe_domain = nil
  end
  @universe_domain ||= "googleapis.com"
  @project_id ||= CredentialsLoader.load_gcloud_project_id
  @signing_key = OpenSSL::PKey::RSA.new @private_key
  @scope = options[:scope]
end

Public Instance Methods

apply(a_hash, opts = {}) click to toggle source

Returns a clone of a_hash updated with the authoriation header

# File lib/googleauth/service_account.rb, line 194
def apply a_hash, opts = {}
  a_copy = a_hash.clone
  apply! a_copy, opts
  a_copy
end
apply!(a_hash, opts = {}) click to toggle source

Construct a jwt token if the JWT_AUD_URI key is present in the input hash.

The jwt token is used as the value of a ‘Bearer ’.

# File lib/googleauth/service_account.rb, line 185
def apply! a_hash, opts = {}
  jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY
  return a_hash if jwt_aud_uri.nil? && @scope.nil?
  jwt_token = new_jwt_token jwt_aud_uri, opts
  a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
  a_hash
end
needs_access_token?() click to toggle source

Duck-types the corresponding method from BaseClient

# File lib/googleauth/service_account.rb, line 226
def needs_access_token?
  false
end
new_jwt_token(jwt_aud_uri = nil, options = {}) click to toggle source

Creates a jwt uri token.

# File lib/googleauth/service_account.rb, line 207
def new_jwt_token jwt_aud_uri = nil, options = {}
  now = Time.new
  skew = options[:skew] || 60
  assertion = {
    "iss" => @issuer,
    "sub" => @issuer,
    "exp" => (now + EXPIRY).to_i,
    "iat" => (now - skew).to_i
  }

  jwt_aud_uri = nil if @scope

  assertion["scope"] = Array(@scope).join " " if @scope
  assertion["aud"] = jwt_aud_uri if jwt_aud_uri

  JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
end
updater_proc() click to toggle source

Returns a reference to the apply method, suitable for passing as a closure

# File lib/googleauth/service_account.rb, line 202
def updater_proc
  proc { |a_hash, opts = {}| apply a_hash, opts }
end