public class ComputeCredential : ServiceCredential, IHttpExecuteInterceptor, IHttpUnsuccessfulResponseHandler, IOidcTokenProvider, ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IBlobSigner
Google OAuth 2.0 credential for accessing protected resources using an access token. The Google OAuth 2.0 Authorization Server supports server-to-server interactions such as those between a web application and Google Cloud Storage. The requesting application has to prove its own identity to gain access to an API, and an end-user doesn't have to be involved.
More details about Compute Engine authentication is available at: https://cloud.google.com/compute/docs/authentication.
Implements
IHttpExecuteInterceptor, IHttpUnsuccessfulResponseHandler, IOidcTokenProvider, ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IBlobSignerNamespace
GoogleApisAuthOAuth2Assembly
Google.Apis.Auth.dll
Constructors
ComputeCredential()
public ComputeCredential()
Constructs a new Compute credential instance.
ComputeCredential(Initializer)
public ComputeCredential(ComputeCredential.Initializer initializer)
Constructs a new Compute credential instance.
Parameter | |
---|---|
Name | Description |
initializer |
ComputeCredentialInitializer |
Fields
MetadataServerUrl
public const string MetadataServerUrl = "http://169.254.169.254"
The metadata server url. This can be overridden (for the purposes of Compute environment detection and auth token retrieval) using the GCE_METADATA_HOST environment variable.
Field Value | |
---|---|
Type | Description |
string |
Properties
OidcTokenUrl
public string OidcTokenUrl { get; }
Gets the OIDC Token URL.
Property Value | |
---|---|
Type | Description |
string |
Methods
GetDefaultServiceAccountEmailAsync(CancellationToken)
public Task<string> GetDefaultServiceAccountEmailAsync(CancellationToken cancellationToken = default)
Returns a task whose result, when completed, is the default service account email associated to this Compute credential.
Parameter | |
---|---|
Name | Description |
cancellationToken |
CancellationToken |
Returns | |
---|---|
Type | Description |
Taskstring |
This value is cached, because for changing the default service account associated to a Compute VM, the machine needs to be turned off. This means that the operation is only asynchronous when calling for the first time.
Note that if, when fetching this value, an exception is thrown, the exception is cached and will be rethrown by the task returned by any future call to this method. You can create a new ComputeCredential instance if that happens so fetching the service account default email is re-attempted.
GetOidcTokenAsync(OidcTokenOptions, CancellationToken)
public Task<OidcToken> GetOidcTokenAsync(OidcTokenOptions options, CancellationToken cancellationToken = default)
Returns an OIDC token for the given options.
Parameters | |
---|---|
Name | Description |
options |
OidcTokenOptions The options to create the token from. |
cancellationToken |
CancellationToken The cancellation token that may be used to cancel the request. |
Returns | |
---|---|
Type | Description |
TaskOidcToken |
The OIDC token. |
IsRunningOnComputeEngine()
public static Task<bool> IsRunningOnComputeEngine()
Detects if application is running on Google Compute Engine. This is achieved by attempting to contact GCE metadata server, that is only available on GCE. The check is only performed the first time you call this method, subsequent invocations used cached result of the first call.
Returns | |
---|---|
Type | Description |
Taskbool |
RequestAccessTokenAsync(CancellationToken)
public override Task<bool> RequestAccessTokenAsync(CancellationToken taskCancellationToken)
Requests a new token.
Parameter | |
---|---|
Name | Description |
taskCancellationToken |
CancellationToken Cancellation token to cancel operation. |
Returns | |
---|---|
Type | Description |
Taskbool |
|
SignBlobAsync(byte[], CancellationToken)
public Task<string> SignBlobAsync(byte[] blob, CancellationToken cancellationToken = default)
Signs the provided blob using the private key associated with the service account this ComputeCredential represents.
Parameters | |
---|---|
Name | Description |
blob |
byte The blob to sign. |
cancellationToken |
CancellationToken Cancellation token to cancel the operation. |
Returns | |
---|---|
Type | Description |
Taskstring |
The base64 encoded signature. |
The private key associated with the Compute service account is not known locally by a ComputeCredential. Signing happens by executing a request to the IAM Credentials API which increases latency and counts towards IAM Credentials API quotas. Aditionally, the first time a ComputeCredential is used to sign data, a request to the metadata server is made to to obtain the email of the default Compute service account.
Exceptions | |
---|---|
Type | Description |
HttpRequestException |
When the signing request fails. |