google.auth package¶
Google Auth Library for Python.
- default(scopes=None, request=None, quota_project_id=None, default_scopes=None)[source]¶
Gets the default credentials for the current environment.
Application Default Credentials provides an easy way to obtain credentials to call Google APIs for server-to-server or local applications. This function acquires credentials from the environment in the following order:
If the environment variable
GOOGLE_APPLICATION_CREDENTIALS
is set to the path of a valid service account JSON private key file, then it is loaded and returned. The project ID returned is the project ID defined in the service account file if available (some older files do not contain project ID information).If the environment variable is set to the path of a valid external account JSON configuration file (workload identity federation), then the configuration file is used to determine and retrieve the external credentials from the current environment (AWS, Azure, etc). These will then be exchanged for Google access tokens via the Google STS endpoint. The project ID returned in this case is the one corresponding to the underlying workload identity pool resource if determinable.
If the environment variable is set to the path of a valid GDCH service account JSON file (Google Distributed Cloud Hosted), then a GDCH credential will be returned. The project ID returned is the project specified in the JSON file.
If the Google Cloud SDK is installed and has application default credentials set they are loaded and returned.
To enable application default credentials with the Cloud SDK run:
gcloud auth application-default login
If the Cloud SDK has an active project, the project ID is returned. The active project can be set using:
gcloud config set project
If the application is running in the App Engine standard environment (first generation) then the credentials and project ID from the App Identity Service are used.
If the application is running in Compute Engine or Cloud Run or the App Engine flexible environment or the App Engine standard environment (second generation) then the credentials and project ID are obtained from the Metadata Service.
If no credentials are found,
DefaultCredentialsError
will be raised.
Example:
import google.auth credentials, project_id = google.auth.default()
- Parameters:
scopes (
Sequence
str
) – The list of scopes for the credentials. If specified, the credentials will automatically be scoped if necessary.request (
Optional
google.auth.transport.Request
) – An object used to make HTTP requests. This is used to either detect whether the application is running on Compute Engine or to determine the associated project ID for a workload identity pool resource (external account credentials). If not specified, then it will either use the standard library http client to make requests for Compute Engine credentials or a google.auth.transport.requests.Request client for external account credentials.quota_project_id (
Optional
str
) – The project ID used for quota and billing.default_scopes (
Optional
Sequence
str
) – Default scopes passed by a Google client library. Use ‘scopes’ for user-defined scopes.
- Returns:
the current environment’s credentials and project ID. Project ID may be None, which indicates that the Project ID could not be ascertained from the environment.
- Return type:
- Raises:
DefaultCredentialsError – If no credentials were found, or if the credentials found were invalid.
- load_credentials_from_file(filename, scopes=None, default_scopes=None, quota_project_id=None, request=None)[source]¶
Loads Google credentials from a file.
The credentials file must be a service account key, stored authorized user credentials, external account credentials, or impersonated service account credentials.
- Parameters:
filename (str) – The full path to the credentials file.
scopes (
Optional
Sequence
str
) – The list of scopes for the credentials. If specified, the credentials will automatically be scoped if necessarydefault_scopes (
Optional
Sequence
str
) – Default scopes passed by a Google client library. Use ‘scopes’ for user-defined scopes.quota_project_id (
Optional
str
) – The project ID used for quota and billing.request (
Optional
google.auth.transport.Request
) – An object used to make HTTP requests. This is used to determine the associated project ID for a workload identity pool resource (external account credentials). If not specified, then it will use a google.auth.transport.requests.Request client to make requests.
- Returns:
- Loaded
credentials and the project ID. Authorized user credentials do not have the project ID information. External account credentials project IDs may not always be determined.
- Return type:
- Raises:
google.auth.exceptions.DefaultCredentialsError – if the file is in the wrong format or is missing.
Subpackages¶
- google.auth.compute_engine package
Credentials
Credentials.refresh()
Credentials.service_account_email
Credentials.requires_scopes
Credentials.with_quota_project()
Credentials.with_scopes()
Credentials.apply()
Credentials.before_request()
Credentials.default_scopes
Credentials.expired
Credentials.has_scopes()
Credentials.quota_project_id
Credentials.scopes
Credentials.valid
Credentials.token
Credentials.expiry
IDTokenCredentials
IDTokenCredentials.with_target_audience()
IDTokenCredentials.with_quota_project()
IDTokenCredentials.with_token_uri()
IDTokenCredentials.apply()
IDTokenCredentials.before_request()
IDTokenCredentials.expired
IDTokenCredentials.quota_project_id
IDTokenCredentials.refresh()
IDTokenCredentials.valid
IDTokenCredentials.token
IDTokenCredentials.expiry
IDTokenCredentials.signer
IDTokenCredentials.sign_bytes()
IDTokenCredentials.service_account_email
IDTokenCredentials.signer_email
- Submodules
- google.auth.crypt package
- google.auth.transport package
DEFAULT_RETRYABLE_STATUS_CODES
DEFAULT_REFRESH_STATUS_CODES
DEFAULT_MAX_REFRESH_ATTEMPTS
Response
Request
- Submodules
Submodules¶
- google.auth.app_engine module
Signer
get_project_id()
Credentials
Credentials.refresh()
Credentials.service_account_email
Credentials.requires_scopes
Credentials.with_scopes()
Credentials.with_quota_project()
Credentials.sign_bytes()
Credentials.signer_email
Credentials.signer
Credentials.apply()
Credentials.before_request()
Credentials.default_scopes
Credentials.expired
Credentials.has_scopes()
Credentials.quota_project_id
Credentials.scopes
Credentials.valid
Credentials.token
Credentials.expiry
- google.auth.aws module
RequestSigner
Credentials
Credentials.retrieve_subject_token()
Credentials.from_info()
Credentials.from_file()
Credentials.apply()
Credentials.before_request()
Credentials.default_scopes
Credentials.expired
Credentials.get_project_id()
Credentials.has_scopes()
Credentials.info
Credentials.is_user
Credentials.is_workforce_pool
Credentials.project_number
Credentials.quota_project_id
Credentials.refresh()
Credentials.requires_scopes
Credentials.scopes
Credentials.service_account_email
Credentials.token_info_url
Credentials.valid
Credentials.with_quota_project()
Credentials.with_scopes()
Credentials.with_token_uri()
Credentials.token
Credentials.expiry
- google.auth.credentials module
Credentials
CredentialsWithQuotaProject
CredentialsWithQuotaProject.with_quota_project()
CredentialsWithQuotaProject.apply()
CredentialsWithQuotaProject.before_request()
CredentialsWithQuotaProject.expired
CredentialsWithQuotaProject.quota_project_id
CredentialsWithQuotaProject.refresh()
CredentialsWithQuotaProject.valid
CredentialsWithQuotaProject.token
CredentialsWithQuotaProject.expiry
CredentialsWithTokenUri
CredentialsWithTokenUri.with_token_uri()
CredentialsWithTokenUri.apply()
CredentialsWithTokenUri.before_request()
CredentialsWithTokenUri.expired
CredentialsWithTokenUri.quota_project_id
CredentialsWithTokenUri.refresh()
CredentialsWithTokenUri.valid
CredentialsWithTokenUri.token
CredentialsWithTokenUri.expiry
AnonymousCredentials
ReadOnlyScoped
Scoped
with_scopes_if_required()
Signing
- google.auth.credentials_async module
Credentials
CredentialsWithQuotaProject
CredentialsWithQuotaProject.apply()
CredentialsWithQuotaProject.before_request()
CredentialsWithQuotaProject.expired
CredentialsWithQuotaProject.quota_project_id
CredentialsWithQuotaProject.refresh()
CredentialsWithQuotaProject.valid
CredentialsWithQuotaProject.with_quota_project()
CredentialsWithQuotaProject.token
CredentialsWithQuotaProject.expiry
AnonymousCredentials
ReadOnlyScoped
Scoped
with_scopes_if_required()
Signing
- google.auth.downscoped module
- google.auth.environment_vars module
- google.auth.exceptions module
- google.auth.external_account module
Credentials
Credentials.info
Credentials.service_account_email
Credentials.is_user
Credentials.is_workforce_pool
Credentials.requires_scopes
Credentials.project_number
Credentials.token_info_url
Credentials.with_scopes()
Credentials.retrieve_subject_token()
Credentials.get_project_id()
Credentials.refresh()
Credentials.with_quota_project()
Credentials.with_token_uri()
Credentials.apply()
Credentials.before_request()
Credentials.default_scopes
Credentials.expired
Credentials.from_info()
Credentials.has_scopes()
Credentials.quota_project_id
Credentials.scopes
Credentials.valid
Credentials.token
Credentials.expiry
Credentials.from_file()
- google.auth.iam module
- google.auth.identity_pool module
Credentials
Credentials.retrieve_subject_token()
Credentials.apply()
Credentials.before_request()
Credentials.default_scopes
Credentials.expired
Credentials.get_project_id()
Credentials.has_scopes()
Credentials.info
Credentials.is_user
Credentials.is_workforce_pool
Credentials.project_number
Credentials.quota_project_id
Credentials.refresh()
Credentials.requires_scopes
Credentials.scopes
Credentials.service_account_email
Credentials.token_info_url
Credentials.valid
Credentials.with_quota_project()
Credentials.with_scopes()
Credentials.with_token_uri()
Credentials.token
Credentials.expiry
Credentials.from_info()
Credentials.from_file()
- google.auth.impersonated_credentials module
Credentials
Credentials.token
Credentials.expiry
Credentials.refresh()
Credentials.sign_bytes()
Credentials.signer_email
Credentials.signer
Credentials.requires_scopes
Credentials.with_quota_project()
Credentials.with_scopes()
Credentials.apply()
Credentials.before_request()
Credentials.default_scopes
Credentials.expired
Credentials.has_scopes()
Credentials.quota_project_id
Credentials.scopes
Credentials.valid
IDTokenCredentials
- google.auth.jwt module
encode()
decode_header()
decode()
Credentials
Credentials.from_service_account_info()
Credentials.from_service_account_file()
Credentials.from_signing_credentials()
Credentials.with_claims()
Credentials.with_quota_project()
Credentials.refresh()
Credentials.sign_bytes()
Credentials.signer_email
Credentials.signer
Credentials.additional_claims
Credentials.apply()
Credentials.before_request()
Credentials.expired
Credentials.quota_project_id
Credentials.valid
Credentials.token
Credentials.expiry
OnDemandCredentials
OnDemandCredentials.from_service_account_info()
OnDemandCredentials.from_service_account_file()
OnDemandCredentials.from_signing_credentials()
OnDemandCredentials.with_claims()
OnDemandCredentials.with_quota_project()
OnDemandCredentials.valid
OnDemandCredentials.refresh()
OnDemandCredentials.before_request()
OnDemandCredentials.sign_bytes()
OnDemandCredentials.signer_email
OnDemandCredentials.signer
OnDemandCredentials.apply()
OnDemandCredentials.expired
OnDemandCredentials.quota_project_id
OnDemandCredentials.token
OnDemandCredentials.expiry
- google.auth.jwt_async module
encode()
decode()
Credentials
Credentials.additional_claims
Credentials.apply()
Credentials.before_request()
Credentials.expired
Credentials.from_service_account_file()
Credentials.from_service_account_info()
Credentials.from_signing_credentials()
Credentials.quota_project_id
Credentials.refresh()
Credentials.sign_bytes()
Credentials.signer
Credentials.signer_email
Credentials.valid
Credentials.with_claims()
Credentials.with_quota_project()
Credentials.token
Credentials.expiry
OnDemandCredentials
OnDemandCredentials.apply()
OnDemandCredentials.before_request()
OnDemandCredentials.expired
OnDemandCredentials.from_service_account_file()
OnDemandCredentials.from_service_account_info()
OnDemandCredentials.from_signing_credentials()
OnDemandCredentials.quota_project_id
OnDemandCredentials.refresh()
OnDemandCredentials.sign_bytes()
OnDemandCredentials.signer
OnDemandCredentials.signer_email
OnDemandCredentials.valid
OnDemandCredentials.with_claims()
OnDemandCredentials.with_quota_project()
OnDemandCredentials.token
OnDemandCredentials.expiry