Important: If you accept a credential configuration (credentialJSON/File/Stream) from an external source for authentication to GoogleCloud, you must validate it before providing it to any Google API orlibrary. Providing an unvalidated credential configuration to Google APIscan compromise the security of your systems and data. For moreinformation, refer toValidate credential configurations from externalsources.

Options

Credentials classes are configured with options that dictate defaultvalues for parameters such as scope and audience. These defaults areexpressed as class attributes, and may differ from endpoint to endpoint.Normally, an API client will provide subclasses specific to eachendpoint, configured with appropriate values.

Note that these options inherit up the class hierarchy. If a particularoptions is not set for a subclass, its superclass is queried.

Some older users of this class set options via constants. This usage isdeprecated. For example, instead of setting theAUDIENCE constant onyour subclass, call theaudience= method.

Example

class MyCredentials < Google::Auth::Credentials  # Set the default scope for these credentials  self.scope = "http://example.com/my_scope"end# creds is a credentials object suitable for Google API clientscreds = MyCredentials.defaultcreds.scope  # => ["http://example.com/my_scope"]class SubCredentials < MyCredentials  # Override the default scope for this subclass  self.scope = "http://example.com/sub_scope"endcreds2 = SubCredentials.defaultcreds2.scope  # => ["http://example.com/sub_scope"]

Inherits

• Object

Extended By

• Forwardable

The default target audience ID to be used when none is provided during initialization.Used only by the assertion grant type.

• (String)

Sets the default target audience ID to be used when none is provided during initialization.

• new_audience (String)

Creates a new Credentials instance with auth credentials acquired by searching theenvironment variables and paths configured on the class, and with the default valuesconfigured on the class.

The auth credentials are searched for in the following order:

1. configured environment variables (seeCredentials.env_vars)
2. configured default file paths (seeCredentials.paths)
3. application default (seeget_application_default)

• options (Hash) —

  The options for configuring the credentials instance. The following is supported:

  • +:scope+ - the scope for the client
  • +"project_id"+ (and optionally +"project"+) - the project identifier for the client
  • +:connection_builder+ - the connection builder to use for the client
  • +:default_connection+ - the default connection to use for the client

• (Credentials)

The environment variables to search for credentials. Values can either be a file path to thecredentials file, or the JSON contents of the credentials file.The env_vars will never be nil. If there are no vars, the empty array is returned.

• (Array<String>)

Sets the environment variables to search for credentials.Setting tonil "unsets" the value, and defaults to the superclass(or to the empty array if there is no superclass).

• new_env_vars (String, Array<String>, nil)

The file paths to search for credentials files.The paths will never be nil. If there are no paths, the empty array is returned.

• (Array<String>)

Set the file paths to search for credentials files.Setting tonil "unsets" the value, and defaults to the superclass(or to the empty array if there is no superclass).

• new_paths (String, Array<String>, nil)

The default scope to be used when none is provided during initialization.A scope is an access range defined by the authorization server.The scope can be a single value or a list of values.

Either#scope or#target_audience, but not both, should be non-nil.If#scope is set, this credential will produce access tokens.If#target_audience is set, this credential will produce ID tokens.

• (String, Array<String>, nil)

Sets the default scope to be used when none is provided during initialization.

Either#scope or#target_audience, but not both, should be non-nil.If#scope is set, this credential will produce access tokens.If#target_audience is set, this credential will produce ID tokens.

• new_scope (String, Array<String>, nil)

The default final target audience for ID tokens, to be used when noneis provided during initialization.

Either#scope or#target_audience, but not both, should be non-nil.If#scope is set, this credential will produce access tokens.If#target_audience is set, this credential will produce ID tokens.

• (String, nil)

Sets the default final target audience for ID tokens, to be used when noneis provided during initialization.

Either#scope or#target_audience, but not both, should be non-nil.If#scope is set, this credential will produce access tokens.If#target_audience is set, this credential will produce ID tokens.

• new_target_audience (String, nil)

The default token credential URI to be used when none is provided during initialization.The URI is the authorization server's HTTP endpoint capable of issuing tokens andrefreshing expired tokens.

• (String)

Set the default token credential URI to be used when none is provided during initialization.

• new_token_credential_uri (String)

• (String) — The target audience ID when issuing assertions. Used only by theassertion grant type.

The Signet::OAuth2::Client object the Credentials instance is using.

• (Signet::OAuth2::Client)

The Signet::OAuth2::Client object the Credentials instance is using.

• value (Signet::OAuth2::Client)

• (Signet::OAuth2::Client)

Creates a duplicate of these credentials. This method tries to create the duplicate of thewrapped credentials if they support duplication and use them as is if they don't.

The wrapped credentials are typicallySignet::OAuth2::Client objects and they keepthe transient state (token, refresh token, etc). The duplication discards that state,allowing e.g. to get the token with a different scope.

• options (Hash) —

  Overrides for the credentials parameters.

  The options hash is used in two ways:

  1. Configuring the duplicate of the wrapper object: Some options are used to directlyconfigure the wrapperCredentials instance. These include:
  • :project_id (and optionally:project) - the project identifier for the credentials
  • :quota_project_id - the quota project identifier for the credentials
  1. Configuring the duplicate of the inner client: If the inner client supports duplicationthe options hash is passed to it. This allows for configuration of additional parameters,most importantly (but not limited to) the following:
  • :scope - the scope for the client

• (Credentials)

Creates a new Credentials instance with the provided auth credentials, and with the defaultvalues configured on the class.

• source_creds (String, Pathname, Hash,Google::Auth::BaseClient) — The source of credentials. It can be provided as one of the following:
  • The path to a JSON keyfile (as aString or aPathname)
  • The contents of a JSON keyfile (as aHash)
  • AGoogle::Auth::BaseClient credentials object, including but not limited toaSignet::OAuth2::Client object.
  • Any credentials object that supports the methods this wrapper delegates to an inner client.

  If this parameter is an object (Signet::OAuth2::Client or other) it will be used as an inner client.Otherwise the inner client will be constructed from the JSON keyfile or the contens of the hash.

• options (Hash) — The options for configuring this wrapper credentials object and the inner client.The options hash is used in two ways:
  1. Configuring the wrapper object: Some options are used to directlyconfigure the wrapperCredentials instance. These include:
  • :project_id (and optionally:project) - the project identifier for the client
  • :quota_project_id - the quota project identifier for the client
  • :logger - the logger used to log credential operations such as token refresh.
  1. Configuring the inner client: When thesource_creds parameteris aString orHash, a newSignet::OAuth2::Client is createdinternally. The following options are used to configure this inner client:
  • :scope - the scope for the client
  • :target_audience - the target audience for the client

  Any other options in theoptions hash are passed directly to theinner client constructor. This allows you to configure additionalparameters of theSignet::OAuth2::Client, such as connection parameters,timeouts, etc.

• (Credentials) — a new instance of Credentials

• (Google::Auth::InitializationError) — If source_creds is nil
• (ArgumentError) — If both scope and target_audience are specified

• (String) — The issuer ID associated with this client.

• (Logger) — The logger used to log credential operations such as token refresh.

• value (Logger) — The logger used to log credential operations such as token refresh.

• (Logger) — The logger used to log credential operations such as token refresh.

Identifier for the project the client is authenticating with.

• (String)

Identifier for a separate project used for billing/quota, if any.

• (String, nil)

• (String, Array<String>) — The scope for this client. A scope is an access rangedefined by the authorization server. The scope can be a single value or a list of values.

• (String, OpenSSL::PKey) — The signing key associated with this client.

• (String) — The final target audience for ID tokens returned by this credential.

• (String) — The token credential URI. The URI is the authorization server's HTTPendpoint capable of issuing tokens and refreshing expired tokens.

• (String) — The universe domain issuing these credentials.

• value (String) — The universe domain issuing these credentials.

• (String) — The universe domain issuing these credentials.

• (Proc) — Returns a reference to the {Signet::OAuth2::Client#apply} method,suitable for passing as a closure.

value:"https://oauth2.googleapis.com/token".freeze
The default token credential URI to be used when none is provided during initialization.

value:"https://oauth2.googleapis.com/token".freeze
The default target audience ID to be used when none is provided during initialization.