Class: Google::Auth::ExternalAccount::Credentials

Inherits:

Object

• Object
• Google::Auth::ExternalAccount::Credentials

Defined in:

lib/googleauth/external_account.rb

Overview

Provides an entrypoint for all Exernal Account credential classes.

Constant Summary

AWS_SUBJECT_TOKEN_TYPE =

The subject token type used for AWS external_account credentials.

"urn:ietf:params:aws:token-type:aws4_request".freeze

MISSING_CREDENTIAL_SOURCE =

"missing credential source for external account".freeze

INVALID_EXTERNAL_ACCOUNT_TYPE =

"credential source is not supported external account type".freeze

Class Method Summary

• .make_creds(options = {}) ⇒ Google::Auth::ExternalAccount::AwsCredentials, ...

  Create a ExternalAccount::Credentials.

• .read_json_key(json_key_io) ⇒ Hash

  Reads the required fields from the JSON.

Class Method Details

.make_creds(options = {}) ⇒ Google::Auth::ExternalAccount::AwsCredentials, ...

Create a ExternalAccount::Credentials

Parameters:

• options (Hash) (defaults to: {}) —

  Options for creating credentials

Options Hash (options):

• :json_key_io (IO) — default: required —

  An IO object containing the JSON key

• :scope (String, Array, nil) —

  The scope(s) to access

Returns:

• (Google::Auth::ExternalAccount::AwsCredentials, Google::Auth::ExternalAccount::IdentityPoolCredentials, Google::Auth::ExternalAccount::PluggableAuthCredentials) —

  The appropriate external account credentials based on the credential source

Raises:

• (Google::Auth::InitializationError) —

  If the json file is missing, lacks required fields, or does not contain a supported credential source

# File 'lib/googleauth/external_account.rb', line 48

def self.make_creds options = {}
  json_key_io, scope = options.values_at :json_key_io, :scope

  raise InitializationError, "A json file is required for external account credentials." unless json_key_io
  user_creds = read_json_key json_key_io

  # AWS credentials is determined by aws subject token type
  return make_aws_credentials user_creds, scope if user_creds[:subject_token_type] == AWS_SUBJECT_TOKEN_TYPE

  raise InitializationError, MISSING_CREDENTIAL_SOURCE if user_creds[:credential_source].nil?
  user_creds[:scope] = scope
  make_external_account_credentials user_creds
end

.read_json_key(json_key_io) ⇒ Hash

Reads the required fields from the JSON.

Parameters:

• json_key_io (IO) —

  An IO object containing the JSON key

Returns:

• (Hash) —

  The parsed JSON key

Raises:

• (Google::Auth::InitializationError) —

  If the JSON is missing required fields

# File 'lib/googleauth/external_account.rb', line 67

def self.read_json_key json_key_io
  json_key = MultiJson.load json_key_io.read, symbolize_keys: true
  wanted = [
    :audience, :subject_token_type, :token_url, :credential_source
  ]
  wanted.each do |key|
    raise InitializationError, "the json is missing the #{key} field" unless json_key.key? key
  end
  json_key
end