google.auth.iam module

Tools for using the Google Cloud Identity and Access Management (IAM) API’s auth-related functionality.

class Signer(request, credentials, service_account_email)

Bases: Signer

Signs messages using the IAM signBlob API.

This is useful when you need to sign bytes but do not have access to the credential’s private key file.

Parameters:

• request (google.auth.transport.Request) – The object used to make HTTP requests.

• credentials (google.auth.credentials.Credentials) –

  The credentials that will be used to authenticate the request to the IAM API. The credentials must have of one the following scopes:

  • https://www.googleapis.com/auth/iam

  • https://www.googleapis.com/auth/cloud-platform

• service_account_email (str) – The service account email identifying which service account to use to sign bytes. Often, this can be the same as the service account email in the given credentials.

property key_id

The key ID used to identify this private key.

Warning

This is always None. The key ID used by IAM can not be reliably determined ahead of time.

Type:

Optional [ str ]

sign(message)

Signs a message.

Parameters:

message (Union [ str, bytes ]) – The message to be signed.

Returns:

The signature of the message.

Return type:

bytes