googleauth - Class Google::Auth::ImpersonatedServiceAccountCredentials (v1.13.1)

Reference documentation and code samples for the googleauth class Google::Auth::ImpersonatedServiceAccountCredentials.

Authenticates requests using impersonation from base credentials. This is a two-step process: first authentication claim from the base credentials is created and then that claim is exchanged for a short-lived token at an IAMCredentials endpoint. The short-lived token and its expiration time are cached.

Inherits

  • Object

Includes

Methods

.make_creds

def self.make_creds(options = {}) -> Google::Auth::ImpersonatedServiceAccountCredentials

Create a ImpersonatedServiceAccountCredentials When you use service account impersonation, you start with an authenticated principal (e.g. your user account or a service account) and request short-lived credentials for a service account that has the authorization that your use case requires.

Parameter
  • options (Hash) — A hash of options to configure the credentials.
Returns

#access_token

def access_token() -> String, nil
Returns
  • (String, nil) — The short-lived impersonation access token, retrieved and cached after making the impersonation request

#base_credentials

def base_credentials() -> Object
Returns
  • (Object) — The original authenticated credentials used to fetch short-lived impersonation access tokens

#duplicate

def duplicate(options = {}) -> Google::Auth::ImpersonatedServiceAccountCredentials

Creates a duplicate of these credentials without transient token state

Parameter
  • options (Hash) —

    Overrides for the credentials parameters. The following keys are recognized

    • base_credentials the base credentials used to initialize the impersonation
    • source_credentials the authenticated credentials which usually would be base credentials with scope overridden to IAM_SCOPE
    • impersonation_url the URL to use to make an impersonation token exchange
    • scope the scope(s) to access
Returns

#expires_at

def expires_at() -> Time, nil
Returns
  • (Time, nil) — The expiration time of the current access token, used to determine if the token is still valid

#expires_within?

def expires_within?(seconds) -> Boolean

Determines whether the current access token expires within the specified number of seconds.

Parameter
  • seconds (Integer) — The number of seconds to check against the token's expiration time.
Returns
  • (Boolean) — Whether the access token expires within the given time frame

#impersonation_url

def impersonation_url() -> String
Returns
  • (String) — The URL endpoint used to generate an impersonation token. This URL should follow a specific format to specify the impersonated service account.

#initialize

def initialize(options = {}) -> Google::Auth::ImpersonatedServiceAccountCredentials

Initializes a new instance of ImpersonatedServiceAccountCredentials.

Parameter
  • options (Hash) — A hash of options to configure the credentials.
Returns
Raises
  • (ArgumentError) — If any of the required options are missing.

#logger

def logger() -> Logger, nil
Returns
  • (Logger, nil) — The logger of the credentials.

#scope

def scope() -> Array<String>, String
Returns
  • (Array<String>, String) — The scope(s) required for the impersonated access token, indicating the permissions needed for the short-lived token

#source_credentials

def source_credentials() -> Object
Returns
  • (Object) — The modified version of base credentials, tailored for impersonation purposes with necessary scope adjustments

#universe_domain

def universe_domain() -> String

The universe domain of the impersonated credentials. Effectively this retrieves the universe domain of the source credentials.

Returns
  • (String) — The universe domain of the credentials.