Google Auth Library Client - Class GCECredentials (1.46.0)

Reference documentation and code samples for the Google Auth Library Client class GCECredentials.

GCECredentials supports authorization on Google Compute Engine.

It can be used to authorize requests using the AuthTokenMiddleware, but will only succeed if being run on GCE:

use Google\Auth\Credentials\GCECredentials; use Google\Auth\Middleware\AuthTokenMiddleware; use GuzzleHttp\Client; use GuzzleHttp\HandlerStack;

$gce = new GCECredentials(); $middleware = new AuthTokenMiddleware($gce); $stack = HandlerStack::create(); $stack->push($middleware);

$client = new Client([ 'handler' => $stack, 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', 'auth' => 'google_auth' ]);

$res = $client->get('myproject/taskqueues/myqueue');

Namespace

Google \ Auth \ Credentials

Methods

__construct

Parameters
Name Description
iam Google\Auth\Iam|null

[optional] An IAM instance.
scope string|string[]

[optional] the scope of the access request, expressed either as an array or as a space-delimited string.
targetAudience string

[optional] The audience for the ID token.
quotaProject string

[optional] Specifies a project to bill for access charges associated with the request.
serviceAccountIdentity string

[optional] Specify a service account identity name to use instead of "default".
universeDomain string|null

[optional] Specify a universe domain to use instead of fetching one from the metadata server.

fetchAuthToken

Implements FetchAuthTokenInterface#fetchAuthToken.

Fetches the auth tokens from the GCE metadata host if it is available. If $httpHandler is not specified a the default HttpHandler is used.

Parameters
Name Description
httpHandler callable|null

callback which delivers psr7 request
headers array

[optional] Headers to be inserted into the token endpoint request present.
Returns
Type Description
array { A set of auth related metadata, based on the token type. @type string $access_token for access tokens @type int $expires_in for access tokens @type string $token_type for access tokens @type string $id_token for ID tokens }

getCacheKey

Returns the Cache Key for the credential token.

The format for the cache key is: TokenURI

Returns
Type Description
string

getLastReceivedToken

Returns an associative array with the token and expiration time.

Returns
Type Description
array|null

getClientName

Get the client name from GCE metadata.

Subsequent calls will return a cached value.

Parameter
Name Description
httpHandler callable|null

callback which delivers psr7 request
Returns
Type Description
string

getProjectId

Fetch the default Project ID from compute engine.

Returns null if called outside GCE.

Parameter
Name Description
httpHandler callable|null

Callback which delivers psr7 request
Returns
Type Description
string|null

getUniverseDomain

Fetch the default universe domain from the metadata server.

Parameter
Name Description
httpHandler callable|null

Callback which delivers psr7 request
Returns
Type Description
string

getQuotaProject

Get the quota project used for this API request

Returns
Type Description
string|null

setIsOnGce

Set whether or not we've already checked the GCE environment.

Parameter
Name Description
isOnGce bool
Returns
Type Description
void

static::getTokenUri

The full uri for accessing the default token.

Parameter
Name Description
serviceAccountIdentity string

[optional] Specify a service account identity name to use instead of "default".
Returns
Type Description
string

static::getClientNameUri

The full uri for accessing the default service account.

Parameter
Name Description
serviceAccountIdentity string

[optional] Specify a service account identity name to use instead of "default".
Returns
Type Description
string

static::onAppEngineFlexible

Determines if this an App Engine Flexible instance, by accessing the GAE_INSTANCE environment variable.

Returns
Type Description
bool true if this an App Engine Flexible Instance, false otherwise

static::onGce

Determines if this a GCE instance, by accessing the expected metadata host.

If $httpHandler is not specified a the default HttpHandler is used.

Parameter
Name Description
httpHandler callable|null

callback which delivers psr7 request
Returns
Type Description
bool True if this a GCEInstance, false otherwise

Constants

cacheKey

Value: 'GOOGLE_AUTH_PHP_GCE'

METADATA_IP

Value: '169.254.169.254'

The metadata IP address on appengine instances.

The IP is used instead of the domain 'metadata' to avoid slow responses when not on Compute Engine.

TOKEN_URI_PATH

Value: 'v1/instance/service-accounts/default/token'

The metadata path of the default token.

ID_TOKEN_URI_PATH

Value: 'v1/instance/service-accounts/default/identity'

The metadata path of the default id token.

CLIENT_ID_URI_PATH

Value: 'v1/instance/service-accounts/default/email'

The metadata path of the client ID.

PROJECT_ID_URI_PATH

Value: 'v1/project/project-id'

The metadata path of the project ID.

UNIVERSE_DOMAIN_URI_PATH

Value: 'v1/universe/universe-domain'

The metadata path of the project ID.

FLAVOR_HEADER

Value: 'Metadata-Flavor'

The header whose presence indicates GCE presence.

MAX_COMPUTE_PING_TRIES

Value: 3

Note: the explicit timeout and tries below is a workaround. The underlying issue is that resolving an unknown host on some networks will take 20-30 seconds; making this timeout short fixes the issue, but could lead to false negatives in the event that we are on GCE, but the metadata resolution was particularly slow. The latter case is "unlikely" since the expected 4-nines time is about 0.5 seconds.

This allows us to limit the total ping maximum timeout to 1.5 seconds for developer desktop scenarios.

COMPUTE_PING_CONNECTION_TIMEOUT_S

Value: 0.5