Class ComputeCredential (1.60.0)

public class ComputeCredential : ServiceCredential, IHttpExecuteInterceptor, IHttpUnsuccessfulResponseHandler, IOidcTokenProvider, ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IBlobSigner

Google OAuth 2.0 credential for accessing protected resources using an access token. The Google OAuth 2.0 Authorization Server supports server-to-server interactions such as those between a web application and Google Cloud Storage. The requesting application has to prove its own identity to gain access to an API, and an end-user doesn't have to be involved.

More details about Compute Engine authentication is available at: https://cloud.google.com/compute/docs/authentication.

Inheritance

object > ServiceCredential > ComputeCredential

Namespace

GoogleApisAuthOAuth2

Assembly

Google.Apis.Auth.dll

Constructors

ComputeCredential()

public ComputeCredential()

Constructs a new Compute credential instance.

ComputeCredential(Initializer)

public ComputeCredential(ComputeCredential.Initializer initializer)

Constructs a new Compute credential instance.

Parameter
Name Description
initializer ComputeCredentialInitializer

Fields

MetadataServerUrl

public const string MetadataServerUrl = "http://169.254.169.254"

The metadata server url. This can be overridden (for the purposes of Compute environment detection and auth token retrieval) using the GCE_METADATA_HOST environment variable.

Field Value
Type Description
string

Properties

OidcTokenUrl

public string OidcTokenUrl { get; }

Gets the OIDC Token URL.

Property Value
Type Description
string

Methods

GetDefaultServiceAccountEmailAsync(CancellationToken)

public Task<string> GetDefaultServiceAccountEmailAsync(CancellationToken cancellationToken = default)

Returns a task whose result, when completed, is the default service account email associated to this Compute credential.

Parameter
Name Description
cancellationToken CancellationToken
Returns
Type Description
Taskstring
Remarks

This value is cached, because for changing the default service account associated to a Compute VM, the machine needs to be turned off. This means that the operation is only asynchronous when calling for the first time.

Note that if, when fetching this value, an exception is thrown, the exception is cached and will be rethrown by the task returned by any future call to this method. You can create a new ComputeCredential instance if that happens so fetching the service account default email is re-attempted.

GetOidcTokenAsync(OidcTokenOptions, CancellationToken)

public Task<OidcToken> GetOidcTokenAsync(OidcTokenOptions options, CancellationToken cancellationToken = default)

Returns an OIDC token for the given options.

Parameters
Name Description
options OidcTokenOptions

The options to create the token from.

cancellationToken CancellationToken

The cancellation token that may be used to cancel the request.

Returns
Type Description
TaskOidcToken

The OIDC token.

IsRunningOnComputeEngine()

public static Task<bool> IsRunningOnComputeEngine()

Detects if application is running on Google Compute Engine. This is achieved by attempting to contact GCE metadata server, that is only available on GCE. The check is only performed the first time you call this method, subsequent invocations used cached result of the first call.

Returns
Type Description
Taskbool

RequestAccessTokenAsync(CancellationToken)

public override Task<bool> RequestAccessTokenAsync(CancellationToken taskCancellationToken)

Requests a new token.

Parameter
Name Description
taskCancellationToken CancellationToken

Cancellation token to cancel operation.

Returns
Type Description
Taskbool

true if a new token was received successfully.

Overrides

SignBlobAsync(byte[], CancellationToken)

public Task<string> SignBlobAsync(byte[] blob, CancellationToken cancellationToken = default)

Signs the provided blob using the private key associated with the service account this ComputeCredential represents.

Parameters
Name Description
blob byte

The blob to sign.

cancellationToken CancellationToken

Cancellation token to cancel the operation.

Returns
Type Description
Taskstring

The base64 encoded signature.

Remarks

The private key associated with the Compute service account is not known locally by a ComputeCredential. Signing happens by executing a request to the IAM Credentials API which increases latency and counts towards IAM Credentials API quotas. Aditionally, the first time a ComputeCredential is used to sign data, a request to the metadata server is made to to obtain the email of the default Compute service account.

Exceptions
Type Description
HttpRequestException

When the signing request fails.

Extension Method