Class: Google::Auth::ExternalAccount::IdentityPoolCredentials

Inherits:

Object

• Object
• Google::Auth::ExternalAccount::IdentityPoolCredentials

Extended by:

CredentialsLoader

Includes:

BaseCredentials, ExternalAccountUtils

Defined in:

lib/googleauth/external_account/identity_pool_credentials.rb

Overview

This module handles the retrieval of credentials from Google Cloud by utilizing the any 3PI provider then exchanging the credentials for a short-lived Google Cloud access token.

Constant Summary

Constants included from CredentialsLoader

CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::AWS_ACCESS_KEY_ID_VAR, CredentialsLoader::AWS_DEFAULT_REGION_VAR, CredentialsLoader::AWS_REGION_VAR, CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR, CredentialsLoader::AWS_SESSION_TOKEN_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::GCLOUD_CONFIG_COMMAND, CredentialsLoader::GCLOUD_POSIX_COMMAND, CredentialsLoader::GCLOUD_WINDOWS_COMMAND, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::PROJECT_ID_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH

Constants included from ExternalAccountUtils

ExternalAccountUtils::CLOUD_RESOURCE_MANAGER

Constants included from BaseCredentials

BaseCredentials::EXTERNAL_ACCOUNT_JSON_TYPE, BaseCredentials::IAM_SCOPE, BaseCredentials::STS_GRANT_TYPE, BaseCredentials::STS_REQUESTED_TOKEN_TYPE

Constants included from BaseClient

BaseClient::AUTH_METADATA_KEY

Instance Attribute Summary

• #client_id ⇒ Object readonly

  Will always be nil, but method still gets used.

Attributes included from BaseCredentials

#access_token, #expires_at, #universe_domain

Attributes included from BaseClient

#logger

Instance Method Summary

• #initialize(options = {}) ⇒ IdentityPoolCredentials constructor

  Initialize from options map.

• #retrieve_subject_token! ⇒ String

  Implementation of BaseCredentials retrieve_subject_token!.

Methods included from CredentialsLoader

from_env, from_system_default_path, from_well_known_path, load_gcloud_project_id, make_creds

Methods included from ExternalAccountUtils

#normalize_timestamp, #project_id, #project_number, #service_account_email

Methods included from BaseCredentials

#expires_within?, #fetch_access_token!, #is_workforce_pool?

Methods included from Helpers::Connection

connection, default_connection, default_connection=

Methods included from BaseClient

#apply, #apply!, #expires_within?, #needs_access_token?, #notify_refresh_listeners, #on_refresh, #updater_proc

Constructor Details

#initialize(options = {}) ⇒ IdentityPoolCredentials

Initialize from options map.

Parameters:

• options (Hash) (defaults to: {}) —

  Configuration options

Options Hash (options):

• :audience (String) —

  The audience for the token

• :credential_source (Hash{Symbol => Object}) —

  A hash containing either source file or url. credential_source_format is either text or json to define how to parse the credential response.

Raises:

• (Google::Auth::InitializationError) —

  If credential_source format is invalid, field_name is missing, contains ambiguous sources, or is missing required fields

# File 'lib/googleauth/external_account/identity_pool_credentials.rb', line 43

def initialize options = {}
  base_setup options

  @audience = options[:audience]
  @credential_source = options[:credential_source] || {}
  @credential_source_file = @credential_source[:file]
  @credential_source_url = @credential_source[:url]
  @credential_source_headers = @credential_source[:headers] || {}
  @credential_source_format = @credential_source[:format] || {}
  @credential_source_format_type = @credential_source_format[:type] || "text"
  validate_credential_source
end

Instance Attribute Details

#client_id ⇒ Object (readonly)

Will always be nil, but method still gets used.

# File 'lib/googleauth/external_account/identity_pool_credentials.rb', line 32

def client_id
  @client_id
end

Instance Method Details

#retrieve_subject_token! ⇒ String

Implementation of BaseCredentials retrieve_subject_token!

Returns:

• (String) —

  The subject token

Raises:

• (Google::Auth::CredentialsError) —

  If the token can't be parsed from JSON or is missing

# File 'lib/googleauth/external_account/identity_pool_credentials.rb', line 60

def retrieve_subject_token!
  content, resource_name = token_data
  if @credential_source_format_type == "text"
    token = content
  else
    begin
      response_data = MultiJson.load content, symbolize_keys: true
      token = response_data[@credential_source_field_name.to_sym]
    rescue StandardError
      raise CredentialsError, "Unable to parse subject_token from JSON resource #{resource_name} " \
                              "using key #{@credential_source_field_name}"
    end
  end
  raise CredentialsError, "Missing subject_token in the credential_source file/response." unless token
  token
end