google.auth.compute_engine package¶
Google Compute Engine authentication.
-
class
Credentials
(service_account_email='default')[source]¶ Bases:
google.auth.credentials.ReadOnlyScoped
,google.auth.credentials.Credentials
Compute Engine Credentials.
These credentials use the Google Compute Engine metadata server to obtain OAuth 2.0 access tokens associated with the instance’s service account.
For more information about Compute Engine authentication, including how to configure scopes, see the Compute Engine authentication documentation.
Note
Compute Engine instances can be created with scopes and therefore these credentials are considered to be ‘scoped’. However, you can not use
with_scopes()
because it is not possible to change the scopes that the instance has. Also note thathas_scopes()
will not work until the credentials have been refreshed.- Parameters
service_account_email (str) – The service account email to use, or ‘default’. A Compute Engine instance may have multiple service accounts.
-
refresh
(request)[source]¶ Refresh the access token and scopes.
- Parameters
request (google.auth.transport.Request) – The object used to make HTTP requests.
- Raises
google.auth.exceptions.RefreshError – If the Compute Engine metadata service can’t be reached if if the instance has not credentials.
-
property
service_account_email
¶ The service account email.
-
property
requires_scopes
¶ Compute Engine credentials can not be scoped.
- Type
False
-
before_request
(request, method, url, headers)[source]¶ Performs credential-specific before request logic.
Refreshes the credentials if necessary, then calls
apply()
to apply the token to the authentication header.- Parameters
request (google.auth.transport.Request) – The object used to make HTTP requests.
method (str) – The request’s HTTP method or the RPC method being invoked.
url (str) – The request’s URI or the RPC service’s URI.
headers (Mapping) – The request’s headers.
-
property
expired
¶ Checks if the credentials are expired.
Note that credentials can be invalid but not expired because Credentials with
expiry
set to None is considered to never expire.
-
has_scopes
(scopes)¶ Checks if the credentials have the given scopes.
-
class
IDTokenCredentials
(request, target_audience, token_uri='https://www.googleapis.com/oauth2/v4/token', additional_claims=None, service_account_email=None)[source]¶ Bases:
google.auth.credentials.Credentials
,google.auth.credentials.Signing
Open ID Connect ID Token-based service account credentials.
These credentials relies on the default service account of a GCE instance.
In order for this to work, the GCE instance must have been started with a service account that has access to the IAM Cloud API.
- Parameters
request (google.auth.transport.Request) – The object used to make HTTP requests.
target_audience (str) – The intended audience for these credentials, used when requesting the ID Token. The ID Token’s
aud
claim will be set to this string.token_uri (str) – The OAuth 2.0 Token URI.
additional_claims (
Mapping
[str
,str
]) –Any
additional claims for the JWT assertion used in the authorization grant.service_account_email (str) – Optional explicit service account to use to sign JWT tokens. By default, this is the default GCE service account.
-
with_target_audience
(target_audience)[source]¶ Create a copy of these credentials with the specified target audience. :param target_audience: The intended audience for these credentials, :type target_audience: str :param used when requesting the ID Token.:
- Returns
- A new credentials
instance.
- Return type
google.auth.service_account.IDTokenCredentials
-
refresh
(request)[source]¶ Refreshes the access token.
- Parameters
request (google.auth.transport.Request) – The object used to make HTTP requests.
- Raises
google.auth.exceptions.RefreshError – If the credentials could not be refreshed.
-
property
signer
¶ The signer used to sign bytes.
-
property
service_account_email
¶ The service account email.
-
apply
(headers, token=None)¶ Apply the token to the authentication header.
-
before_request
(request, method, url, headers)¶ Performs credential-specific before request logic.
Refreshes the credentials if necessary, then calls
apply()
to apply the token to the authentication header.- Parameters
request (google.auth.transport.Request) – The object used to make HTTP requests.
method (str) – The request’s HTTP method or the RPC method being invoked.
url (str) – The request’s URI or the RPC service’s URI.
headers (Mapping) – The request’s headers.
-
property
expired
¶ Checks if the credentials are expired.
Note that credentials can be invalid but not expired because Credentials with
expiry
set to None is considered to never expire.