Module: Google::Auth::ExternalAccount::ExternalAccountUtils

Included in:
AwsCredentials, IdentityPoolCredentials, PluggableAuthCredentials
Defined in:
lib/googleauth/external_account/external_account_utils.rb

Overview

Authenticates requests using External Account credentials, such as those provided by the AWS provider or OIDC provider like Azure, etc.

Constant Summary collapse

CLOUD_RESOURCE_MANAGER =

Cloud resource manager URL used to retrieve project information.

"https://cloudresourcemanager.googleapis.com/v1/projects/".freeze

Instance Method Summary collapse

Instance Method Details

#normalize_timestamp(time) ⇒ Time?

Normalizes a timestamp value to a Time object

Parameters:

  • time (Time, String, nil)

    The timestamp to normalize

Returns:

  • (Time, nil)

    The normalized timestamp or nil if input is nil

Raises:



84
85
86
87
88
89
90
91
92
93
94
95
 
# File 'lib/googleauth/external_account/external_account_utils.rb', line 84

def normalize_timestamp time
  case time
  when NilClass
    nil
  when Time
    time
  when String
    Time.parse time
  else
    raise CredentialsError, "Invalid time value #{time}"
  end
end

#project_idString?

Retrieves the project ID corresponding to the workload identity or workforce pool. For workforce pool credentials, it returns the project ID corresponding to the workforce_pool_user_project. When not determinable, None is returned.

The resource may not have permission (resourcemanager.projects.get) to call this API or the required scopes may not be selected: https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes

Returns:

  • (String, nil)

    The project ID corresponding to the workload identity pool or workforce pool if determinable



43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
# File 'lib/googleauth/external_account/external_account_utils.rb', line 43

def project_id
  return @project_id unless @project_id.nil?
  project_number = self.project_number || @workforce_pool_user_project

  # if we missing either project number or scope, we won't retrieve project_id
  return nil if project_number.nil? || @scope.nil?

  url = "#{CLOUD_RESOURCE_MANAGER}#{project_number}"
  response = connection.get url do |req|
    req.headers["Authorization"] = "Bearer #{@access_token}"
    req.headers["Content-Type"] = "application/json"
  end

  if response.status == 200
    response_data = MultiJson.load response.body, symbolize_names: true
    @project_id = response_data[:projectId]
  end

  @project_id
end

#project_numberString?

Retrieve the project number corresponding to workload identity pool STS audience pattern: //iam.googleapis.com/projects/$PROJECT_NUMBER/locations/...

Returns:

  • (String, nil)

    The project number extracted from the audience string, or nil if it cannot be determined



72
73
74
75
76
77
 
# File 'lib/googleauth/external_account/external_account_utils.rb', line 72

def project_number
  segments = @audience.split "/"
  idx = segments.index "projects"
  return nil if idx.nil? || idx + 1 == segments.size
  segments[idx + 1]
end

#service_account_emailString?

Extracts the service account email from the impersonation URL

Returns:

  • (String, nil)

    The service account email extracted from the service_account_impersonation_url, or nil if it cannot be determined



101
102
103
104
105
106
107
108
109
110
 
# File 'lib/googleauth/external_account/external_account_utils.rb', line 101

def 
  return nil if @service_account_impersonation_url.nil?
  start_idx = @service_account_impersonation_url.rindex "/"
  end_idx = @service_account_impersonation_url.index ":generateAccessToken"
  if start_idx != -1 && end_idx != -1 && start_idx < end_idx
    start_idx += 1
    return @service_account_impersonation_url[start_idx..end_idx]
  end
  nil
end