IAMCredentialsClient(
transport=None,
channel=None,
credentials=None,
client_config=None,
client_info=None,
client_options=None,
)
A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.
Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.
Methods
IAMCredentialsClient
IAMCredentialsClient(
transport=None,
channel=None,
credentials=None,
client_config=None,
client_info=None,
client_options=None,
)
Constructor.
Parameters | |
---|---|
Name | Description |
channel |
grpc.Channel
DEPRECATED. A |
credentials |
google.auth.credentials.Credentials
The authorization credentials to attach to requests. These credentials identify this application to the service. If none are specified, the client will attempt to ascertain the credentials from the environment. This argument is mutually exclusive with providing a transport instance to |
client_config |
dict
DEPRECATED. A dictionary of call options for each method. If not specified, the default configuration is used. |
client_info |
google.api_core.gapic_v1.client_info.ClientInfo
The client info used to send a user-agent string along with API requests. If |
client_options |
Union[dict, google.api_core.client_options.ClientOptions]
Client options used to set user options on the client. API Endpoint should be set through client_options. |
from_service_account_file
from_service_account_file(filename, *args, **kwargs)
Creates an instance of this client using the provided credentials file.
Parameter | |
---|---|
Name | Description |
filename |
str
The path to the service account private key json file. |
Returns | |
---|---|
Type | Description |
IAMCredentialsClient | The constructed client. |
from_service_account_json
from_service_account_json(filename, *args, **kwargs)
Creates an instance of this client using the provided credentials file.
Parameter | |
---|---|
Name | Description |
filename |
str
The path to the service account private key json file. |
Returns | |
---|---|
Type | Description |
IAMCredentialsClient | The constructed client. |
generate_access_token
generate_access_token(name, scope, delegates=None, lifetime=None, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)
Generates an OAuth 2.0 access token for a service account.
.. rubric:: Example
from google.cloud import iam_credentials_v1
client = iam_credentials_v1.IAMCredentialsClient()
name = client.service_account_path('[PROJECT]', '[SERVICE_ACCOUNT]')
TODO: Initialize
scope
:scope = []
response = client.generate_access_token(name, scope)
Parameters | |
---|---|
Name | Description |
name |
str
Required. The resource name of the service account for which the credentials are requested, in the following format: |
scope |
list[str]
Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required. |
delegates |
list[str]
The sequence of service accounts in a delegation chain. Each service account must be granted the |
lifetime |
Union[dict, Duration]
The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour. If a dict is provided, it must be of the same form as the protobuf message Duration |
retry |
Optional[google.api_core.retry.Retry]
A retry object used to retry requests. If |
timeout |
Optional[float]
The amount of time, in seconds, to wait for the request to complete. Note that if |
metadata |
Optional[Sequence[Tuple[str, str]]]
Additional metadata that is provided to the method. |
Exceptions | |
---|---|
Type | Description |
google.api_core.exceptions.GoogleAPICallError | If the request failed for any reason. |
google.api_core.exceptions.RetryError | If the request failed due to a retryable error and retry attempts failed. |
ValueError | If the parameters are invalid. |
generate_id_token
generate_id_token(name, audience, delegates=None, include_email=None, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)
Generates an OpenID Connect ID token for a service account.
.. rubric:: Example
from google.cloud import iam_credentials_v1
client = iam_credentials_v1.IAMCredentialsClient()
name = client.service_account_path('[PROJECT]', '[SERVICE_ACCOUNT]')
TODO: Initialize
audience
:audience = ''
response = client.generate_id_token(name, audience)
Parameters | |
---|---|
Name | Description |
name |
str
Required. The resource name of the service account for which the credentials are requested, in the following format: |
audience |
str
Required. The audience for the token, such as the API or account that this token grants access to. |
delegates |
list[str]
The sequence of service accounts in a delegation chain. Each service account must be granted the |
include_email |
bool
Include the service account email in the token. If set to |
retry |
Optional[google.api_core.retry.Retry]
A retry object used to retry requests. If |
timeout |
Optional[float]
The amount of time, in seconds, to wait for the request to complete. Note that if |
metadata |
Optional[Sequence[Tuple[str, str]]]
Additional metadata that is provided to the method. |
Exceptions | |
---|---|
Type | Description |
google.api_core.exceptions.GoogleAPICallError | If the request failed for any reason. |
google.api_core.exceptions.RetryError | If the request failed due to a retryable error and retry attempts failed. |
ValueError | If the parameters are invalid. |
service_account_path
service_account_path(project, service_account)
Return a fully-qualified service_account string.
sign_blob
sign_blob(name, payload, delegates=None, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)
Signs a blob using a service account's system-managed private key.
.. rubric:: Example
from google.cloud import iam_credentials_v1
client = iam_credentials_v1.IAMCredentialsClient()
name = client.service_account_path('[PROJECT]', '[SERVICE_ACCOUNT]')
TODO: Initialize
payload
:payload = b''
response = client.sign_blob(name, payload)
Parameters | |
---|---|
Name | Description |
name |
str
Required. The resource name of the service account for which the credentials are requested, in the following format: |
payload |
bytes
Required. The bytes to sign. |
delegates |
list[str]
The sequence of service accounts in a delegation chain. Each service account must be granted the |
retry |
Optional[google.api_core.retry.Retry]
A retry object used to retry requests. If |
timeout |
Optional[float]
The amount of time, in seconds, to wait for the request to complete. Note that if |
metadata |
Optional[Sequence[Tuple[str, str]]]
Additional metadata that is provided to the method. |
Exceptions | |
---|---|
Type | Description |
google.api_core.exceptions.GoogleAPICallError | If the request failed for any reason. |
google.api_core.exceptions.RetryError | If the request failed due to a retryable error and retry attempts failed. |
ValueError | If the parameters are invalid. |
sign_jwt
sign_jwt(name, payload, delegates=None, retry=<_MethodDefault._DEFAULT_VALUE: <object object>>, timeout=<_MethodDefault._DEFAULT_VALUE: <object object>>, metadata=None)
Signs a JWT using a service account's system-managed private key.
.. rubric:: Example
from google.cloud import iam_credentials_v1
client = iam_credentials_v1.IAMCredentialsClient()
name = client.service_account_path('[PROJECT]', '[SERVICE_ACCOUNT]')
TODO: Initialize
payload
:payload = ''
response = client.sign_jwt(name, payload)
Parameters | |
---|---|
Name | Description |
name |
str
Required. The resource name of the service account for which the credentials are requested, in the following format: |
payload |
str
Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set. |
delegates |
list[str]
The sequence of service accounts in a delegation chain. Each service account must be granted the |
retry |
Optional[google.api_core.retry.Retry]
A retry object used to retry requests. If |
timeout |
Optional[float]
The amount of time, in seconds, to wait for the request to complete. Note that if |
metadata |
Optional[Sequence[Tuple[str, str]]]
Additional metadata that is provided to the method. |
Exceptions | |
---|---|
Type | Description |
google.api_core.exceptions.GoogleAPICallError | If the request failed for any reason. |
google.api_core.exceptions.RetryError | If the request failed due to a retryable error and retry attempts failed. |
ValueError | If the parameters are invalid. |