IAM Service Account Credentials V1 API - Class Google::Iam::Credentials::V1::IAMCredentials::Client (v0.7.0)

Reference documentation and code samples for the IAM Service Account Credentials V1 API class Google::Iam::Credentials::V1::IAMCredentials::Client.

Client for the IAMCredentials service.

A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.

Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.

Inherits

  • Object

Methods

.configure

def self.configure() { |config| ... } -> Client::Configuration

Configure the IAMCredentials Client class.

See Configuration for a description of the configuration fields.

Yields
  • (config) — Configure the Client client.
Yield Parameter
Example
# Modify the configuration for all IAMCredentials clients
::Google::Iam::Credentials::V1::IAMCredentials::Client.configure do |config|
  config.timeout = 10.0
end

#configure

def configure() { |config| ... } -> Client::Configuration

Configure the IAMCredentials Client instance.

The configuration is set to the derived mode, meaning that values can be changed, but structural changes (adding new fields, etc.) are not allowed. Structural changes should be made on Client.configure.

See Configuration for a description of the configuration fields.

Yields
  • (config) — Configure the Client client.
Yield Parameter

#generate_access_token

def generate_access_token(request, options = nil) -> ::Google::Iam::Credentials::V1::GenerateAccessTokenResponse
def generate_access_token(name: nil, delegates: nil, scope: nil, lifetime: nil) -> ::Google::Iam::Credentials::V1::GenerateAccessTokenResponse

Generates an OAuth 2.0 access token for a service account.

Overloads
def generate_access_token(request, options = nil) -> ::Google::Iam::Credentials::V1::GenerateAccessTokenResponse
Pass arguments to generate_access_token via a request object, either of type GenerateAccessTokenRequest or an equivalent Hash.
Parameters
  • request (::Google::Iam::Credentials::V1::GenerateAccessTokenRequest, ::Hash) — A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.
  • options (::Gapic::CallOptions, ::Hash) — Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
def generate_access_token(name: nil, delegates: nil, scope: nil, lifetime: nil) -> ::Google::Iam::Credentials::V1::GenerateAccessTokenResponse
Pass arguments to generate_access_token via keyword arguments. Note that at least one keyword argument is required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash as a request object (see above).
Parameters
  • name (::String) — Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
  • delegates (::Array<::String>) — The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

    The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

  • scope (::Array<::String>) — Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.
  • lifetime (::Google::Protobuf::Duration, ::Hash) — The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.
Yields
  • (response, operation) — Access the result along with the RPC operation
Yield Parameters
Raises
  • (::Google::Cloud::Error) — if the RPC is aborted.
Example

Basic example

require "google/iam/credentials/v1"

# Create a client object. The client can be reused for multiple calls.
client = Google::Iam::Credentials::V1::IAMCredentials::Client.new

# Create a request. To set request fields, pass in keyword arguments.
request = Google::Iam::Credentials::V1::GenerateAccessTokenRequest.new

# Call the generate_access_token method.
result = client.generate_access_token request

# The returned object is of type Google::Iam::Credentials::V1::GenerateAccessTokenResponse.
p result

#generate_id_token

def generate_id_token(request, options = nil) -> ::Google::Iam::Credentials::V1::GenerateIdTokenResponse
def generate_id_token(name: nil, delegates: nil, audience: nil, include_email: nil) -> ::Google::Iam::Credentials::V1::GenerateIdTokenResponse

Generates an OpenID Connect ID token for a service account.

Overloads
def generate_id_token(request, options = nil) -> ::Google::Iam::Credentials::V1::GenerateIdTokenResponse
Pass arguments to generate_id_token via a request object, either of type GenerateIdTokenRequest or an equivalent Hash.
Parameters
  • request (::Google::Iam::Credentials::V1::GenerateIdTokenRequest, ::Hash) — A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.
  • options (::Gapic::CallOptions, ::Hash) — Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
def generate_id_token(name: nil, delegates: nil, audience: nil, include_email: nil) -> ::Google::Iam::Credentials::V1::GenerateIdTokenResponse
Pass arguments to generate_id_token via keyword arguments. Note that at least one keyword argument is required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash as a request object (see above).
Parameters
  • name (::String) — Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
  • delegates (::Array<::String>) — The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

    The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

  • audience (::String) — Required. The audience for the token, such as the API or account that this token grants access to.
  • include_email (::Boolean) — Include the service account email in the token. If set to true, the token will contain email and email_verified claims.
Yields
  • (response, operation) — Access the result along with the RPC operation
Yield Parameters
Raises
  • (::Google::Cloud::Error) — if the RPC is aborted.
Example

Basic example

require "google/iam/credentials/v1"

# Create a client object. The client can be reused for multiple calls.
client = Google::Iam::Credentials::V1::IAMCredentials::Client.new

# Create a request. To set request fields, pass in keyword arguments.
request = Google::Iam::Credentials::V1::GenerateIdTokenRequest.new

# Call the generate_id_token method.
result = client.generate_id_token request

# The returned object is of type Google::Iam::Credentials::V1::GenerateIdTokenResponse.
p result

#initialize

def initialize() { |config| ... } -> Client

Create a new IAMCredentials client object.

Yields
  • (config) — Configure the IAMCredentials client.
Yield Parameter
Returns
  • (Client) — a new instance of Client
Example
# Create a client using the default configuration
client = ::Google::Iam::Credentials::V1::IAMCredentials::Client.new

# Create a client using a custom configuration
client = ::Google::Iam::Credentials::V1::IAMCredentials::Client.new do |config|
  config.timeout = 10.0
end

#sign_blob

def sign_blob(request, options = nil) -> ::Google::Iam::Credentials::V1::SignBlobResponse
def sign_blob(name: nil, delegates: nil, payload: nil) -> ::Google::Iam::Credentials::V1::SignBlobResponse

Signs a blob using a service account's system-managed private key.

Overloads
def sign_blob(request, options = nil) -> ::Google::Iam::Credentials::V1::SignBlobResponse
Pass arguments to sign_blob via a request object, either of type SignBlobRequest or an equivalent Hash.
Parameters
  • request (::Google::Iam::Credentials::V1::SignBlobRequest, ::Hash) — A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.
  • options (::Gapic::CallOptions, ::Hash) — Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
def sign_blob(name: nil, delegates: nil, payload: nil) -> ::Google::Iam::Credentials::V1::SignBlobResponse
Pass arguments to sign_blob via keyword arguments. Note that at least one keyword argument is required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash as a request object (see above).
Parameters
  • name (::String) — Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
  • delegates (::Array<::String>) — The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

    The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

  • payload (::String) — Required. The bytes to sign.
Yields
  • (response, operation) — Access the result along with the RPC operation
Yield Parameters
Raises
  • (::Google::Cloud::Error) — if the RPC is aborted.
Example

Basic example

require "google/iam/credentials/v1"

# Create a client object. The client can be reused for multiple calls.
client = Google::Iam::Credentials::V1::IAMCredentials::Client.new

# Create a request. To set request fields, pass in keyword arguments.
request = Google::Iam::Credentials::V1::SignBlobRequest.new

# Call the sign_blob method.
result = client.sign_blob request

# The returned object is of type Google::Iam::Credentials::V1::SignBlobResponse.
p result

#sign_jwt

def sign_jwt(request, options = nil) -> ::Google::Iam::Credentials::V1::SignJwtResponse
def sign_jwt(name: nil, delegates: nil, payload: nil) -> ::Google::Iam::Credentials::V1::SignJwtResponse

Signs a JWT using a service account's system-managed private key.

Overloads
def sign_jwt(request, options = nil) -> ::Google::Iam::Credentials::V1::SignJwtResponse
Pass arguments to sign_jwt via a request object, either of type SignJwtRequest or an equivalent Hash.
Parameters
  • request (::Google::Iam::Credentials::V1::SignJwtRequest, ::Hash) — A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.
  • options (::Gapic::CallOptions, ::Hash) — Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
def sign_jwt(name: nil, delegates: nil, payload: nil) -> ::Google::Iam::Credentials::V1::SignJwtResponse
Pass arguments to sign_jwt via keyword arguments. Note that at least one keyword argument is required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash as a request object (see above).
Parameters
  • name (::String) — Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
  • delegates (::Array<::String>) — The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

    The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

  • payload (::String) — Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
Yields
  • (response, operation) — Access the result along with the RPC operation
Yield Parameters
Raises
  • (::Google::Cloud::Error) — if the RPC is aborted.
Example

Basic example

require "google/iam/credentials/v1"

# Create a client object. The client can be reused for multiple calls.
client = Google::Iam::Credentials::V1::IAMCredentials::Client.new

# Create a request. To set request fields, pass in keyword arguments.
request = Google::Iam::Credentials::V1::SignJwtRequest.new

# Call the sign_jwt method.
result = client.sign_jwt request

# The returned object is of type Google::Iam::Credentials::V1::SignJwtResponse.
p result