class Google::Auth::ServiceAccountJwtHeaderCredentials
Authenticates requests using Google's Service Account credentials via JWT Header.
This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via 'Generate new Json Key'). It is not part of any OAuth2 flow, rather it creates a JWT and sends that as a credential.
cf [Application Default Credentials](cloud.google.com/docs/authentication/production)
Constants
- AUTH_METADATA_KEY
- EXPIRY
- JWT_AUD_URI_KEY
- SIGNING_ALGORITHM
- TOKEN_CRED_URI
Attributes
Public Class Methods
::make_creds proxies the construction of a credentials instance
::make_creds is used by the methods in CredentialsLoader.
By default, it calls new with 2 args, the second one being an optional scope. Here's the constructor only has one param, so we modify ::make_creds to reflect this.
# File lib/googleauth/service_account.rb, line 152 def self.make_creds *args new json_key_io: args[0][:json_key_io] end
Initializes a ServiceAccountJwtHeaderCredentials.
@param json_key_io [IO] an IO from which the JSON key can be read
# File lib/googleauth/service_account.rb, line 159 def initialize options = {} json_key_io = options[:json_key_io] if json_key_io @private_key, @issuer, @project_id, @quota_project_id = self.class.read_json_key json_key_io else @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR] @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR] @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR] @quota_project_id = nil end @project_id ||= CredentialsLoader.load_gcloud_project_id @signing_key = OpenSSL::PKey::RSA.new @private_key end
Public Instance Methods
Returns a clone of a_hash updated with the authoriation header
# File lib/googleauth/service_account.rb, line 187 def apply a_hash, opts = {} a_copy = a_hash.clone apply! a_copy, opts a_copy end
Construct a jwt token if the JWT_AUD_URI key is present in the input hash.
The jwt token is used as the value of a 'Bearer '.
# File lib/googleauth/service_account.rb, line 178 def apply! a_hash, opts = {} jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY return a_hash if jwt_aud_uri.nil? jwt_token = new_jwt_token jwt_aud_uri, opts a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}" a_hash end
Returns a reference to the apply method, suitable for passing as a closure
# File lib/googleauth/service_account.rb, line 195 def updater_proc lambda(&method(:apply)) end
Protected Instance Methods
Creates a jwt uri token.
# File lib/googleauth/service_account.rb, line 202 def new_jwt_token jwt_aud_uri, options = {} now = Time.new skew = options[:skew] || 60 assertion = { "iss" => @issuer, "sub" => @issuer, "aud" => jwt_aud_uri, "exp" => (now + EXPIRY).to_i, "iat" => (now - skew).to_i } JWT.encode assertion, @signing_key, SIGNING_ALGORITHM end