Class ComputeCredential
Google OAuth 2.0 credential for accessing protected resources using an access token. The Google OAuth 2.0 Authorization Server supports server-to-server interactions such as those between a web application and Google Cloud Storage. The requesting application has to prove its own identity to gain access to an API, and an end-user doesn't have to be involved.
More details about Compute Engine authentication is available at: https://cloud.google.com/compute/docs/authentication.
Implements
Inherited Members
Namespace: Google.Apis.Auth.OAuth2
Assembly: Google.Apis.Auth.dll
Syntax
public class ComputeCredential : ServiceCredential, IHttpUnsuccessfulResponseHandler, IOidcTokenProvider, ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IHttpExecuteInterceptor, IBlobSignerConstructors
ComputeCredential()
Constructs a new Compute credential instance.
Declaration
public ComputeCredential()ComputeCredential(Initializer)
Constructs a new Compute credential instance.
Declaration
public ComputeCredential(ComputeCredential.Initializer initializer)Parameters
| Type | Name | Description |
|---|---|---|
| ComputeCredential.Initializer | initializer |
Fields
MetadataServerUrl
The metadata server url. This can be overridden (for the purposes of Compute environment detection and auth token retrieval) using the GCE_METADATA_HOST environment variable.
Declaration
public const string MetadataServerUrl = "http://169.254.169.254"Field Value
| Type | Description |
|---|---|
| string |
Properties
OidcTokenUrl
Gets the OIDC Token URL.
Declaration
public string OidcTokenUrl { get; }Property Value
| Type | Description |
|---|---|
| string |
Methods
GetDefaultServiceAccountEmailAsync(CancellationToken)
Returns a task whose result, when completed, is the default service account email associated to this Compute credential.
Declaration
public Task<string> GetDefaultServiceAccountEmailAsync(CancellationToken cancellationToken = default)Parameters
| Type | Name | Description |
|---|---|---|
| CancellationToken | cancellationToken |
Returns
| Type | Description |
|---|---|
| Task<string> |
Remarks
This value is cached, because for changing the default service account associated to a Compute VM, the machine needs to be turned off. This means that the operation is only asynchronous when calling for the first time.
Note that if, when fetching this value, an exception is thrown, the exception is cached and will be rethrown by the task returned by any future call to this method. You can create a new ComputeCredential instance if that happens so fetching the service account default email is re-attempted.
GetOidcTokenAsync(OidcTokenOptions, CancellationToken)
Returns an OIDC token for the given options.
Declaration
public Task<OidcToken> GetOidcTokenAsync(OidcTokenOptions options, CancellationToken cancellationToken = default)Parameters
| Type | Name | Description |
|---|---|---|
| OidcTokenOptions | options | The options to create the token from. |
| CancellationToken | cancellationToken | The cancellation token that may be used to cancel the request. |
Returns
| Type | Description |
|---|---|
| Task<OidcToken> | The OIDC token. |
IsRunningOnComputeEngine()
Detects if application is running on Google Compute Engine. This is achieved by attempting to contact GCE metadata server, that is only available on GCE. The check is only performed the first time you call this method, subsequent invocations used cached result of the first call.
Declaration
public static Task<bool> IsRunningOnComputeEngine()Returns
| Type | Description |
|---|---|
| Task<bool> |
RequestAccessTokenAsync(CancellationToken)
Requests a new token.
Declaration
public override Task<bool> RequestAccessTokenAsync(CancellationToken taskCancellationToken)Parameters
| Type | Name | Description |
|---|---|---|
| CancellationToken | taskCancellationToken | Cancellation token to cancel operation. |
Returns
| Type | Description |
|---|---|
| Task<bool> |
|
Overrides
SignBlobAsync(byte[], CancellationToken)
Signs the provided blob using the private key associated with the service account this ComputeCredential represents.
Declaration
public Task<string> SignBlobAsync(byte[] blob, CancellationToken cancellationToken = default)Parameters
| Type | Name | Description |
|---|---|---|
| byte[] | blob | The blob to sign. |
| CancellationToken | cancellationToken | Cancellation token to cancel the operation. |
Returns
| Type | Description |
|---|---|
| Task<string> | The base64 encoded signature. |
Remarks
The private key associated with the Compute service account is not known locally by a ComputeCredential. Signing happens by executing a request to the IAM Credentials API which increases latency and counts towards IAM Credentials API quotas. Aditionally, the first time a ComputeCredential is used to sign data, a request to the metadata server is made to to obtain the email of the default Compute service account.
Exceptions
| Type | Condition |
|---|---|
| HttpRequestException | When the signing request fails. |
| JsonException | When the signing response is not valid JSON. |