google.auth.compute_engine.credentials module¶
Google Compute Engine credentials.
This module provides authentication for an application running on Google Compute Engine using the Compute Engine metadata server.
- class Credentials(service_account_email='default', quota_project_id=None, scopes=None, default_scopes=None, universe_domain=None)[source]¶
Bases:
Scoped
,CredentialsWithQuotaProject
,CredentialsWithUniverseDomain
Compute Engine Credentials.
These credentials use the Google Compute Engine metadata server to obtain OAuth 2.0 access tokens associated with the instance’s service account, and are also used for Cloud Run, Flex and App Engine (except for the Python 2.7 runtime, which is supported only on older versions of this library).
For more information about Compute Engine authentication, including how to configure scopes, see the Compute Engine authentication documentation.
Note
On Compute Engine the metadata server ignores requested scopes. On Cloud Run, Flex and App Engine the server honours requested scopes.
- Parameters:
service_account_email (str) – The service account email to use, or ‘default’. A Compute Engine instance may have multiple service accounts.
quota_project_id (
Optional
str
) – The project ID used for quota and billing.scopes (
Optional
Sequence
str
) – The list of scopes for the credentials.default_scopes (
Optional
Sequence
str
) – Default scopes passed by a Google client library. Use ‘scopes’ for user-defined scopes.universe_domain (
Optional
str
) – The universe domain. If not provided or None, credential will attempt to fetch the value from metadata server. If metadata server doesn’t have universe domain endpoint, then the default googleapis.com will be used.
- refresh(request)[source]¶
Refresh the access token and scopes.
- Parameters:
request (google.auth.transport.Request) – The object used to make HTTP requests.
- Raises:
google.auth.exceptions.RefreshError – If the Compute Engine metadata service can’t be reached if if the instance has not credentials.
- property service_account_email¶
The service account email.
Note
This is not guaranteed to be set until
refresh()
has been called.
- property requires_scopes¶
True if these credentials require scopes to obtain an access token.
- property universe_domain¶
The universe domain value.
- with_quota_project(quota_project_id)[source]¶
Returns a copy of these credentials with a modified quota project.
- Parameters:
quota_project_id (str) – The project to use for quota and billing purposes
- Returns:
A new credentials instance.
- Return type:
- with_scopes(scopes, default_scopes=None)[source]¶
Create a copy of these credentials with the specified scopes.
- Parameters:
scopes (
Sequence
str
) – The list of scopes to attach to the current credentials.- Raises:
NotImplementedError – If the credentials’ scopes can not be changed. This can be avoided by checking
requires_scopes
before calling this method.
- with_universe_domain(universe_domain)[source]¶
Returns a copy of these credentials with a modified universe domain.
- Parameters:
universe_domain (str) – The universe domain to use
- Returns:
A new credentials instance.
- Return type:
- before_request(request, method, url, headers)[source]¶
Performs credential-specific before request logic.
Refreshes the credentials if necessary, then calls
apply()
to apply the token to the authentication header.- Parameters:
request (google.auth.transport.Request) – The object used to make HTTP requests.
method (str) – The request’s HTTP method or the RPC method being invoked.
url (str) – The request’s URI or the RPC service’s URI.
headers (Mapping) – The request’s headers.
- property expired¶
Checks if the credentials are expired.
Note that credentials can be invalid but not expired because Credentials with
expiry
set to None is considered to never expire.Deprecated since version v2.24.0: Prefer checking
token_state
instead.
- has_scopes(scopes)¶
Checks if the credentials have the given scopes.
- property quota_project_id¶
Project to use for quota and billing purposes.
- property token_state¶
See :obj:`TokenState
- property valid¶
Checks the validity of the credentials.
This is True if the credentials have a
token
and the token is notexpired
.Deprecated since version v2.24.0: Prefer checking
token_state
instead.
- class IDTokenCredentials(request, target_audience, token_uri=None, additional_claims=None, service_account_email=None, signer=None, use_metadata_identity_endpoint=False, quota_project_id=None)[source]¶
Bases:
CredentialsWithQuotaProject
,Signing
,CredentialsWithTokenUri
Open ID Connect ID Token-based service account credentials.
These credentials relies on the default service account of a GCE instance.
ID token can be requested from GCE metadata server identity endpoint, IAM token endpoint or other token endpoints you specify. If metadata server identity endpoint is not used, the GCE instance must have been started with a service account that has access to the IAM Cloud API.
- Parameters:
request (google.auth.transport.Request) – The object used to make HTTP requests.
target_audience (str) – The intended audience for these credentials, used when requesting the ID Token. The ID Token’s
aud
claim will be set to this string.token_uri (str) – The OAuth 2.0 Token URI.
additional_claims (
Mapping
str
,str
) –Any
additional claims for the JWT assertion used in the authorization grant.service_account_email (str) – Optional explicit service account to use to sign JWT tokens. By default, this is the default GCE service account.
signer (google.auth.crypt.Signer) – The signer used to sign JWTs. In case the signer is specified, the request argument will be ignored.
use_metadata_identity_endpoint (bool) – Whether to use GCE metadata identity endpoint. For backward compatibility the default value is False. If set to True,
token_uri
,additional_claims
,service_account_email
,signer
argument should not be set; otherwise ValueError will be raised.quota_project_id (
Optional
str
) – The project ID used for quota and billing.
- Raises:
ValueError – If
use_metadata_identity_endpoint
is set to True, and one oftoken_uri
,additional_claims
,service_account_email
,signer
arguments is set.
- with_target_audience(target_audience)[source]¶
Create a copy of these credentials with the specified target audience. :param target_audience: The intended audience for these credentials, :type target_audience: str :param used when requesting the ID Token.:
- Returns:
- A new credentials
instance.
- Return type:
google.auth.service_account.IDTokenCredentials
- with_quota_project(quota_project_id)[source]¶
Returns a copy of these credentials with a modified quota project.
- Parameters:
quota_project_id (str) – The project to use for quota and billing purposes
- Returns:
A new credentials instance.
- Return type:
- with_token_uri(token_uri)[source]¶
Returns a copy of these credentials with a modified token uri.
- Parameters:
token_uri (str) – The uri to use for fetching/exchanging tokens
- Returns:
A new credentials instance.
- Return type:
- apply(headers, token=None)¶
Apply the token to the authentication header.
- before_request(request, method, url, headers)¶
Performs credential-specific before request logic.
Refreshes the credentials if necessary, then calls
apply()
to apply the token to the authentication header.- Parameters:
request (google.auth.transport.Request) – The object used to make HTTP requests.
method (str) – The request’s HTTP method or the RPC method being invoked.
url (str) – The request’s URI or the RPC service’s URI.
headers (Mapping) – The request’s headers.
- property expired¶
Checks if the credentials are expired.
Note that credentials can be invalid but not expired because Credentials with
expiry
set to None is considered to never expire.Deprecated since version v2.24.0: Prefer checking
token_state
instead.
- property quota_project_id¶
Project to use for quota and billing purposes.
- property token_state¶
See :obj:`TokenState
- property universe_domain¶
The universe domain value.
- property valid¶
Checks the validity of the credentials.
This is True if the credentials have a
token
and the token is notexpired
.Deprecated since version v2.24.0: Prefer checking
token_state
instead.
- expiry¶
When the token expires and is no longer valid. If this is None, the token is assumed to never expire.
- refresh(request)[source]¶
Refreshes the ID token.
- Parameters:
request (google.auth.transport.Request) – The object used to make HTTP requests.
- Raises:
google.auth.exceptions.RefreshError – If the credentials could not be refreshed.
ValueError – If extracting expiry from the obtained ID token fails.
- property signer¶
The signer used to sign bytes.
- Type:
- sign_bytes(message)[source]¶
Signs the given message.
- Parameters:
message (bytes) – The message to sign.
- Returns:
The message’s cryptographic signature.
- Return type:
- Raises:
ValueError – Signer is not available if metadata identity endpoint is used.
- property service_account_email¶
The service account email.