google.auth package¶
Google Auth Library for Python.
- default(scopes=None,request=None,quota_project_id=None,default_scopes=None)[source]¶
Gets the default credentials for the current environment.
Application Default Credentials provides an easy way to obtaincredentials to call Google APIs for server-to-server or local applications.This function acquires credentials from the environment in the followingorder:
If the environment variable
GOOGLE_APPLICATION_CREDENTIALSis setto the path of a valid service account JSON private key file, then it isloaded and returned. The project ID returned is the project ID definedin the service account file if available (some older files do notcontain project ID information).If the environment variable is set to the path of a valid externalaccount JSON configuration file (workload identity federation), then theconfiguration file is used to determine and retrieve the externalcredentials from the current environment (AWS, Azure, etc).These will then be exchanged for Google access tokens via the Google STSendpoint.The project ID returned in this case is the one corresponding to theunderlying workload identity pool resource if determinable.
If the environment variable is set to the path of a valid GDCH serviceaccount JSON file (Google Distributed Cloud Hosted), then a GDCHcredential will be returned. The project ID returned is the projectspecified in the JSON file.
If theGoogle Cloud SDK is installed and has application defaultcredentials set they are loaded and returned.
To enable application default credentials with the Cloud SDK run:
gcloudauthapplication-defaultlogin
If the Cloud SDK has an active project, the project ID is returned. Theactive project can be set using:
gcloudconfigsetproject
If the application is running in theApp Engine standard environment(first generation) then the credentials and project ID from theApp Identity Service are used.
If the application is running inCompute Engine orCloud Run ortheApp Engine flexible environment or theApp Engine standardenvironment (second generation) then the credentials and project IDare obtained from theMetadata Service.
If no credentials are found,
DefaultCredentialsErrorwill be raised.
Example:
importgoogle.authcredentials,project_id=google.auth.default()
- Parameters:
scopes (
Sequencestr) – The list of scopes for the credentials. Ifspecified, the credentials will automatically be scoped ifnecessary.request (
Optionalgoogle.auth.transport.Request) – An object used to makeHTTP requests. This is used to either detect whether the applicationis running on Compute Engine or to determine the associated projectID for a workload identity pool resource (external accountcredentials). If not specified, then it will either use the standardlibrary http client to make requests for Compute Engine credentialsor a google.auth.transport.requests.Request client for externalaccount credentials.quota_project_id (
Optionalstr) – The project ID used forquota and billing.default_scopes (
OptionalSequencestr) – Default scopes passed by aGoogle client library. Use ‘scopes’ for user-defined scopes.
- Returns:
the current environment’s credentials and project ID. Project IDmay be None, which indicates that the Project ID could not beascertained from the environment.
- Return type:
- Raises:
DefaultCredentialsError – If no credentials were found, or if the credentials found were invalid.
- load_credentials_from_file(filename,scopes=None,default_scopes=None,quota_project_id=None,request=None)[source]¶
Loads Google credentials from a file.
The credentials file must be a service account key, stored authorizeduser credentials, external account credentials, or impersonated serviceaccount credentials.
Warning
Important: If you accept a credential configuration (credential JSON/File/Stream)from an external source for authentication to Google Cloud Platform, you mustvalidate it before providing it to any Google API or client library. Providing anunvalidated credential configuration to Google APIs or libraries can compromisethe security of your systems and data. For more information, refer toValidate credential configurations from external sources.
- Parameters:
filename (str) – The full path to the credentials file.
scopes (
OptionalSequencestr) – The list of scopes for the credentials. Ifspecified, the credentials will automatically be scoped ifnecessarydefault_scopes (
OptionalSequencestr) – Default scopes passed by aGoogle client library. Use ‘scopes’ for user-defined scopes.quota_project_id (
Optionalstr) – The project ID used forquota and billing.request (
Optionalgoogle.auth.transport.Request) – An object used to makeHTTP requests. This is used to determine the associated project IDfor a workload identity pool resource (external account credentials).If not specified, then it will use agoogle.auth.transport.requests.Request client to make requests.
- Returns:
- Loaded
credentials and the project ID. Authorized user credentials do nothave the project ID information. External account credentials projectIDs may not always be determined.
- Return type:
- Raises:
google.auth.exceptions.DefaultCredentialsError – if the file is in the wrong format or is missing.
- load_credentials_from_dict(info,scopes=None,default_scopes=None,quota_project_id=None,request=None)[source]¶
Loads Google credentials from a dict.
The credentials file must be a service account key, stored authorizeduser credentials, external account credentials, or impersonated serviceaccount credentials.
Warning
Important: If you accept a credential configuration (credential JSON/File/Stream)from an external source for authentication to Google Cloud Platform, you mustvalidate it before providing it to any Google API or client library. Providing anunvalidated credential configuration to Google APIs or libraries can compromisethe security of your systems and data. For more information, refer toValidate credential configurations from external sources.
- Parameters:
info (
Dictstr,Any) – A dict object containing the credentialsscopes (
OptionalSequencestr) – The list of scopes for the credentials. Ifspecified, the credentials will automatically be scoped ifnecessarydefault_scopes (
OptionalSequencestr) – Default scopes passed by aGoogle client library. Use ‘scopes’ for user-defined scopes.quota_project_id (
Optionalstr) – The project ID used forquota and billing.request (
Optionalgoogle.auth.transport.Request) – An object used to makeHTTP requests. This is used to determine the associated project IDfor a workload identity pool resource (external account credentials).If not specified, then it will use agoogle.auth.transport.requests.Request client to make requests.
- Returns:
- Loaded
credentials and the project ID. Authorized user credentials do nothave the project ID information. External account credentials projectIDs may not always be determined.
- Return type:
- Raises:
google.auth.exceptions.DefaultCredentialsError – if the file is in the wrong format or is missing.
Subpackages¶
- google.auth.compute_engine package
CredentialsCredentials.refresh()Credentials.service_account_emailCredentials.requires_scopesCredentials.universe_domainCredentials.get_cred_info()Credentials.with_quota_project()Credentials.with_scopes()Credentials.with_universe_domain()Credentials.apply()Credentials.before_request()Credentials.default_scopesCredentials.expiredCredentials.has_scopes()Credentials.quota_project_idCredentials.scopesCredentials.token_stateCredentials.validCredentials.expiry
IDTokenCredentialsIDTokenCredentials.with_target_audience()IDTokenCredentials.with_quota_project()IDTokenCredentials.with_token_uri()IDTokenCredentials.apply()IDTokenCredentials.before_request()IDTokenCredentials.expiredIDTokenCredentials.get_cred_info()IDTokenCredentials.quota_project_idIDTokenCredentials.token_stateIDTokenCredentials.universe_domainIDTokenCredentials.validIDTokenCredentials.expiryIDTokenCredentials.refresh()IDTokenCredentials.signerIDTokenCredentials.sign_bytes()IDTokenCredentials.service_account_emailIDTokenCredentials.signer_email
detect_gce_residency_linux()- Submodules
- google.auth.crypt package
- google.auth.transport package
Submodules¶
- google.auth.app_engine module
Signerget_project_id()CredentialsCredentials.refresh()Credentials.service_account_emailCredentials.requires_scopesCredentials.with_scopes()Credentials.with_quota_project()Credentials.sign_bytes()Credentials.signer_emailCredentials.signerCredentials.apply()Credentials.before_request()Credentials.default_scopesCredentials.expiredCredentials.get_cred_info()Credentials.has_scopes()Credentials.quota_project_idCredentials.scopesCredentials.token_stateCredentials.universe_domainCredentials.validCredentials.expiry
- google.auth.aws module
RequestSignerAwsSecurityCredentialsAwsSecurityCredentialsSupplierCredentialsCredentials.retrieve_subject_token()Credentials.apply()Credentials.before_request()Credentials.default_scopesCredentials.expiredCredentials.from_info()Credentials.get_cred_info()Credentials.get_project_id()Credentials.has_scopes()Credentials.infoCredentials.is_userCredentials.is_workforce_poolCredentials.project_numberCredentials.quota_project_idCredentials.refresh()Credentials.requires_scopesCredentials.scopesCredentials.service_account_emailCredentials.token_info_urlCredentials.token_stateCredentials.universe_domainCredentials.validCredentials.with_quota_project()Credentials.with_scopes()Credentials.with_token_uri()Credentials.with_universe_domain()Credentials.expiryCredentials.from_file()
- google.auth.credentials module
CredentialsCredentialsWithQuotaProjectCredentialsWithQuotaProject.with_quota_project()CredentialsWithQuotaProject.apply()CredentialsWithQuotaProject.before_request()CredentialsWithQuotaProject.expiredCredentialsWithQuotaProject.get_cred_info()CredentialsWithQuotaProject.quota_project_idCredentialsWithQuotaProject.refresh()CredentialsWithQuotaProject.token_stateCredentialsWithQuotaProject.universe_domainCredentialsWithQuotaProject.validCredentialsWithQuotaProject.expiry
CredentialsWithTokenUriCredentialsWithTokenUri.with_token_uri()CredentialsWithTokenUri.apply()CredentialsWithTokenUri.before_request()CredentialsWithTokenUri.expiredCredentialsWithTokenUri.get_cred_info()CredentialsWithTokenUri.quota_project_idCredentialsWithTokenUri.refresh()CredentialsWithTokenUri.token_stateCredentialsWithTokenUri.universe_domainCredentialsWithTokenUri.validCredentialsWithTokenUri.expiry
CredentialsWithUniverseDomainCredentialsWithUniverseDomain.with_universe_domain()CredentialsWithUniverseDomain.apply()CredentialsWithUniverseDomain.before_request()CredentialsWithUniverseDomain.expiredCredentialsWithUniverseDomain.get_cred_info()CredentialsWithUniverseDomain.quota_project_idCredentialsWithUniverseDomain.refresh()CredentialsWithUniverseDomain.token_stateCredentialsWithUniverseDomain.universe_domainCredentialsWithUniverseDomain.validCredentialsWithUniverseDomain.expiry
AnonymousCredentialsAnonymousCredentials.expiredAnonymousCredentials.validAnonymousCredentials.refresh()AnonymousCredentials.apply()AnonymousCredentials.before_request()AnonymousCredentials.get_cred_info()AnonymousCredentials.quota_project_idAnonymousCredentials.token_stateAnonymousCredentials.universe_domainAnonymousCredentials.expiry
ReadOnlyScopedScopedwith_scopes_if_required()SigningTokenState
- google.auth.credentials_async module
CredentialsCredentialsWithQuotaProjectCredentialsWithQuotaProject.apply()CredentialsWithQuotaProject.before_request()CredentialsWithQuotaProject.expiredCredentialsWithQuotaProject.get_cred_info()CredentialsWithQuotaProject.quota_project_idCredentialsWithQuotaProject.refresh()CredentialsWithQuotaProject.token_stateCredentialsWithQuotaProject.universe_domainCredentialsWithQuotaProject.validCredentialsWithQuotaProject.with_quota_project()CredentialsWithQuotaProject.expiry
AnonymousCredentialsAnonymousCredentials.apply()AnonymousCredentials.before_request()AnonymousCredentials.expiredAnonymousCredentials.get_cred_info()AnonymousCredentials.quota_project_idAnonymousCredentials.refresh()AnonymousCredentials.token_stateAnonymousCredentials.universe_domainAnonymousCredentials.validAnonymousCredentials.expiry
ReadOnlyScopedScopedwith_scopes_if_required()Signing
- google.auth.downscoped module
- google.auth.environment_vars module
- google.auth.exceptions module
- google.auth.external_account module
SupplierContextCredentialsCredentials.infoCredentials.service_account_emailCredentials.is_userCredentials.is_workforce_poolCredentials.requires_scopesCredentials.project_numberCredentials.token_info_urlCredentials.get_cred_info()Credentials.with_scopes()Credentials.retrieve_subject_token()Credentials.get_project_id()Credentials.refresh()Credentials.with_quota_project()Credentials.with_token_uri()Credentials.with_universe_domain()Credentials.apply()Credentials.before_request()Credentials.default_scopesCredentials.expiredCredentials.from_info()Credentials.has_scopes()Credentials.quota_project_idCredentials.scopesCredentials.token_stateCredentials.universe_domainCredentials.validCredentials.expiryCredentials.from_file()
- google.auth.iam module
- google.auth.identity_pool module
SubjectTokenSupplierCredentialsCredentials.retrieve_subject_token()Credentials.apply()Credentials.before_request()Credentials.default_scopesCredentials.expiredCredentials.get_cred_info()Credentials.get_project_id()Credentials.has_scopes()Credentials.infoCredentials.is_userCredentials.is_workforce_poolCredentials.project_numberCredentials.quota_project_idCredentials.refresh()Credentials.requires_scopesCredentials.scopesCredentials.service_account_emailCredentials.token_info_urlCredentials.token_stateCredentials.universe_domainCredentials.validCredentials.with_quota_project()Credentials.with_scopes()Credentials.with_token_uri()Credentials.with_universe_domain()Credentials.expiryCredentials.from_info()Credentials.from_file()
- google.auth.impersonated_credentials module
CredentialsCredentials.expiryCredentials.refresh()Credentials.sign_bytes()Credentials.signer_emailCredentials.signerCredentials.requires_scopesCredentials.get_cred_info()Credentials.with_quota_project()Credentials.with_scopes()Credentials.from_impersonated_service_account_info()Credentials.apply()Credentials.before_request()Credentials.default_scopesCredentials.expiredCredentials.has_scopes()Credentials.quota_project_idCredentials.scopesCredentials.token_stateCredentials.universe_domainCredentials.valid
IDTokenCredentialsIDTokenCredentials.with_quota_project()IDTokenCredentials.refresh()IDTokenCredentials.apply()IDTokenCredentials.before_request()IDTokenCredentials.expiredIDTokenCredentials.get_cred_info()IDTokenCredentials.quota_project_idIDTokenCredentials.token_stateIDTokenCredentials.universe_domainIDTokenCredentials.validIDTokenCredentials.expiry
- google.auth.jwt module
encode()decode_header()decode()CredentialsCredentials.from_service_account_info()Credentials.from_service_account_file()Credentials.from_signing_credentials()Credentials.with_claims()Credentials.with_quota_project()Credentials.refresh()Credentials.sign_bytes()Credentials.signer_emailCredentials.signerCredentials.additional_claimsCredentials.apply()Credentials.before_request()Credentials.expiredCredentials.get_cred_info()Credentials.quota_project_idCredentials.token_stateCredentials.universe_domainCredentials.validCredentials.expiry
OnDemandCredentialsOnDemandCredentials.from_service_account_info()OnDemandCredentials.from_service_account_file()OnDemandCredentials.from_signing_credentials()OnDemandCredentials.with_claims()OnDemandCredentials.with_quota_project()OnDemandCredentials.validOnDemandCredentials.refresh()OnDemandCredentials.before_request()OnDemandCredentials.sign_bytes()OnDemandCredentials.signer_emailOnDemandCredentials.signerOnDemandCredentials.apply()OnDemandCredentials.expiredOnDemandCredentials.get_cred_info()OnDemandCredentials.quota_project_idOnDemandCredentials.token_stateOnDemandCredentials.universe_domainOnDemandCredentials.expiry
- google.auth.jwt_async module
encode()decode()CredentialsCredentials.additional_claimsCredentials.apply()Credentials.before_request()Credentials.expiredCredentials.from_service_account_file()Credentials.from_service_account_info()Credentials.from_signing_credentials()Credentials.get_cred_info()Credentials.quota_project_idCredentials.refresh()Credentials.sign_bytes()Credentials.signerCredentials.signer_emailCredentials.token_stateCredentials.universe_domainCredentials.validCredentials.with_claims()Credentials.with_quota_project()Credentials.expiry
OnDemandCredentialsOnDemandCredentials.apply()OnDemandCredentials.before_request()OnDemandCredentials.expiredOnDemandCredentials.from_service_account_file()OnDemandCredentials.from_service_account_info()OnDemandCredentials.from_signing_credentials()OnDemandCredentials.get_cred_info()OnDemandCredentials.quota_project_idOnDemandCredentials.refresh()OnDemandCredentials.sign_bytes()OnDemandCredentials.signerOnDemandCredentials.signer_emailOnDemandCredentials.token_stateOnDemandCredentials.universe_domainOnDemandCredentials.validOnDemandCredentials.with_claims()OnDemandCredentials.with_quota_project()OnDemandCredentials.expiry
