Reference documentation and code samples for the IAM Service Account Credentials V1 API class Google::Iam::Credentials::V1::IAMCredentials::Client.
Client for the IAMCredentials service.
A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.
Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.
Inherits
- Object
Methods
.configure
def self.configure() { |config| ... } -> Client::Configuration
Configure the IAMCredentials Client class.
See Configuration for a description of the configuration fields.
- (config) — Configure the Client client.
- config (Client::Configuration)
# Modify the configuration for all IAMCredentials clients ::Google::Iam::Credentials::V1::IAMCredentials::Client.configure do |config| config.timeout = 10.0 end
#configure
def configure() { |config| ... } -> Client::Configuration
Configure the IAMCredentials Client instance.
The configuration is set to the derived mode, meaning that values can be changed, but structural changes (adding new fields, etc.) are not allowed. Structural changes should be made on Client.configure.
See Configuration for a description of the configuration fields.
- (config) — Configure the Client client.
- config (Client::Configuration)
#generate_access_token
def generate_access_token(request, options = nil) -> ::Google::Iam::Credentials::V1::GenerateAccessTokenResponse
def generate_access_token(name: nil, delegates: nil, scope: nil, lifetime: nil) -> ::Google::Iam::Credentials::V1::GenerateAccessTokenResponse
Generates an OAuth 2.0 access token for a service account.
def generate_access_token(request, options = nil) -> ::Google::Iam::Credentials::V1::GenerateAccessTokenResponse
generate_access_token
via a request object, either of type
GenerateAccessTokenRequest or an equivalent Hash.
- request (::Google::Iam::Credentials::V1::GenerateAccessTokenRequest, ::Hash) — A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.
- options (::Gapic::CallOptions, ::Hash) — Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
def generate_access_token(name: nil, delegates: nil, scope: nil, lifetime: nil) -> ::Google::Iam::Credentials::V1::GenerateAccessTokenResponse
generate_access_token
via keyword arguments. Note that at
least one keyword argument is required. To specify no parameters, or to keep all
the default parameter values, pass an empty Hash as a request object (see above).
-
name (::String) — Required. The resource name of the service account for which the credentials
are requested, in the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
. The-
wildcard character is required; replacing it with a project ID is invalid. -
delegates (::Array<::String>) — The sequence of service accounts in a delegation chain. Each service
account must be granted the
roles/iam.serviceAccountTokenCreator
role on its next service account in the chain. The last service account in the chain must be granted theroles/iam.serviceAccountTokenCreator
role on the service account that is specified in thename
field of the request.The delegates must have the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
. The-
wildcard character is required; replacing it with a project ID is invalid. - scope (::Array<::String>) — Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.
- lifetime (::Google::Protobuf::Duration, ::Hash) — The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.
- (response, operation) — Access the result along with the RPC operation
- response (::Google::Iam::Credentials::V1::GenerateAccessTokenResponse)
- operation (::GRPC::ActiveCall::Operation)
- (::Google::Cloud::Error) — if the RPC is aborted.
Basic example
require "google/iam/credentials/v1" # Create a client object. The client can be reused for multiple calls. client = Google::Iam::Credentials::V1::IAMCredentials::Client.new # Create a request. To set request fields, pass in keyword arguments. request = Google::Iam::Credentials::V1::GenerateAccessTokenRequest.new # Call the generate_access_token method. result = client.generate_access_token request # The returned object is of type Google::Iam::Credentials::V1::GenerateAccessTokenResponse. p result
#generate_id_token
def generate_id_token(request, options = nil) -> ::Google::Iam::Credentials::V1::GenerateIdTokenResponse
def generate_id_token(name: nil, delegates: nil, audience: nil, include_email: nil) -> ::Google::Iam::Credentials::V1::GenerateIdTokenResponse
Generates an OpenID Connect ID token for a service account.
def generate_id_token(request, options = nil) -> ::Google::Iam::Credentials::V1::GenerateIdTokenResponse
generate_id_token
via a request object, either of type
GenerateIdTokenRequest or an equivalent Hash.
- request (::Google::Iam::Credentials::V1::GenerateIdTokenRequest, ::Hash) — A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.
- options (::Gapic::CallOptions, ::Hash) — Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
def generate_id_token(name: nil, delegates: nil, audience: nil, include_email: nil) -> ::Google::Iam::Credentials::V1::GenerateIdTokenResponse
generate_id_token
via keyword arguments. Note that at
least one keyword argument is required. To specify no parameters, or to keep all
the default parameter values, pass an empty Hash as a request object (see above).
-
name (::String) — Required. The resource name of the service account for which the credentials
are requested, in the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
. The-
wildcard character is required; replacing it with a project ID is invalid. -
delegates (::Array<::String>) — The sequence of service accounts in a delegation chain. Each service
account must be granted the
roles/iam.serviceAccountTokenCreator
role on its next service account in the chain. The last service account in the chain must be granted theroles/iam.serviceAccountTokenCreator
role on the service account that is specified in thename
field of the request.The delegates must have the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
. The-
wildcard character is required; replacing it with a project ID is invalid. - audience (::String) — Required. The audience for the token, such as the API or account that this token grants access to.
-
include_email (::Boolean) — Include the service account email in the token. If set to
true
, the token will containemail
andemail_verified
claims.
- (response, operation) — Access the result along with the RPC operation
- response (::Google::Iam::Credentials::V1::GenerateIdTokenResponse)
- operation (::GRPC::ActiveCall::Operation)
- (::Google::Cloud::Error) — if the RPC is aborted.
Basic example
require "google/iam/credentials/v1" # Create a client object. The client can be reused for multiple calls. client = Google::Iam::Credentials::V1::IAMCredentials::Client.new # Create a request. To set request fields, pass in keyword arguments. request = Google::Iam::Credentials::V1::GenerateIdTokenRequest.new # Call the generate_id_token method. result = client.generate_id_token request # The returned object is of type Google::Iam::Credentials::V1::GenerateIdTokenResponse. p result
#initialize
def initialize() { |config| ... } -> Client
Create a new IAMCredentials client object.
- (config) — Configure the IAMCredentials client.
- config (Client::Configuration)
- (Client) — a new instance of Client
# Create a client using the default configuration client = ::Google::Iam::Credentials::V1::IAMCredentials::Client.new # Create a client using a custom configuration client = ::Google::Iam::Credentials::V1::IAMCredentials::Client.new do |config| config.timeout = 10.0 end
#logger
def logger() -> Logger
The logger used for request/response debug logging.
- (Logger)
#sign_blob
def sign_blob(request, options = nil) -> ::Google::Iam::Credentials::V1::SignBlobResponse
def sign_blob(name: nil, delegates: nil, payload: nil) -> ::Google::Iam::Credentials::V1::SignBlobResponse
Signs a blob using a service account's system-managed private key.
def sign_blob(request, options = nil) -> ::Google::Iam::Credentials::V1::SignBlobResponse
sign_blob
via a request object, either of type
SignBlobRequest or an equivalent Hash.
- request (::Google::Iam::Credentials::V1::SignBlobRequest, ::Hash) — A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.
- options (::Gapic::CallOptions, ::Hash) — Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
def sign_blob(name: nil, delegates: nil, payload: nil) -> ::Google::Iam::Credentials::V1::SignBlobResponse
sign_blob
via keyword arguments. Note that at
least one keyword argument is required. To specify no parameters, or to keep all
the default parameter values, pass an empty Hash as a request object (see above).
-
name (::String) — Required. The resource name of the service account for which the credentials
are requested, in the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
. The-
wildcard character is required; replacing it with a project ID is invalid. -
delegates (::Array<::String>) — The sequence of service accounts in a delegation chain. Each service
account must be granted the
roles/iam.serviceAccountTokenCreator
role on its next service account in the chain. The last service account in the chain must be granted theroles/iam.serviceAccountTokenCreator
role on the service account that is specified in thename
field of the request.The delegates must have the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
. The-
wildcard character is required; replacing it with a project ID is invalid. - payload (::String) — Required. The bytes to sign.
- (response, operation) — Access the result along with the RPC operation
- response (::Google::Iam::Credentials::V1::SignBlobResponse)
- operation (::GRPC::ActiveCall::Operation)
- (::Google::Cloud::Error) — if the RPC is aborted.
Basic example
require "google/iam/credentials/v1" # Create a client object. The client can be reused for multiple calls. client = Google::Iam::Credentials::V1::IAMCredentials::Client.new # Create a request. To set request fields, pass in keyword arguments. request = Google::Iam::Credentials::V1::SignBlobRequest.new # Call the sign_blob method. result = client.sign_blob request # The returned object is of type Google::Iam::Credentials::V1::SignBlobResponse. p result
#sign_jwt
def sign_jwt(request, options = nil) -> ::Google::Iam::Credentials::V1::SignJwtResponse
def sign_jwt(name: nil, delegates: nil, payload: nil) -> ::Google::Iam::Credentials::V1::SignJwtResponse
Signs a JWT using a service account's system-managed private key.
def sign_jwt(request, options = nil) -> ::Google::Iam::Credentials::V1::SignJwtResponse
sign_jwt
via a request object, either of type
SignJwtRequest or an equivalent Hash.
- request (::Google::Iam::Credentials::V1::SignJwtRequest, ::Hash) — A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.
- options (::Gapic::CallOptions, ::Hash) — Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
def sign_jwt(name: nil, delegates: nil, payload: nil) -> ::Google::Iam::Credentials::V1::SignJwtResponse
sign_jwt
via keyword arguments. Note that at
least one keyword argument is required. To specify no parameters, or to keep all
the default parameter values, pass an empty Hash as a request object (see above).
-
name (::String) — Required. The resource name of the service account for which the credentials
are requested, in the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
. The-
wildcard character is required; replacing it with a project ID is invalid. -
delegates (::Array<::String>) — The sequence of service accounts in a delegation chain. Each service
account must be granted the
roles/iam.serviceAccountTokenCreator
role on its next service account in the chain. The last service account in the chain must be granted theroles/iam.serviceAccountTokenCreator
role on the service account that is specified in thename
field of the request.The delegates must have the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
. The-
wildcard character is required; replacing it with a project ID is invalid. - payload (::String) — Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
- (response, operation) — Access the result along with the RPC operation
- response (::Google::Iam::Credentials::V1::SignJwtResponse)
- operation (::GRPC::ActiveCall::Operation)
- (::Google::Cloud::Error) — if the RPC is aborted.
Basic example
require "google/iam/credentials/v1" # Create a client object. The client can be reused for multiple calls. client = Google::Iam::Credentials::V1::IAMCredentials::Client.new # Create a request. To set request fields, pass in keyword arguments. request = Google::Iam::Credentials::V1::SignJwtRequest.new # Call the sign_jwt method. result = client.sign_jwt request # The returned object is of type Google::Iam::Credentials::V1::SignJwtResponse. p result
#universe_domain
def universe_domain() -> String
The effective universe domain
- (String)