google.auth.app_engine module

Google App Engine standard environment support.

This module provides authentication and signing for applications running on App Engine in the standard environment using the App Identity API.

class Signer[source]

Bases: google.auth.crypt.base.Signer

Signs messages using the App Engine App Identity service.

This can be used in place of google.auth.crypt.Signer when running in the App Engine standard environment.

property key_id

The key ID used to identify this private key.

Warning

This is always None. The key ID used by App Engine can not be reliably determined ahead of time.

Type

Optional [ str ]

sign(message)[source]

Signs a message.

Parameters

message (Union [ str, bytes ]) – The message to be signed.

Returns

The signature of the message.

Return type

bytes

get_project_id()[source]

Gets the project ID for the current App Engine application.

Returns

The project ID

Return type

str

Raises

EnvironmentError – If the App Engine APIs are unavailable.

class Credentials(scopes=None, default_scopes=None, service_account_id=None, quota_project_id=None)[source]

Bases: google.auth.credentials.Scoped, google.auth.credentials.Signing, google.auth.credentials.CredentialsWithQuotaProject

App Engine standard environment credentials.

These credentials use the App Engine App Identity API to obtain access tokens.

Parameters
  • scopes (Sequence [ str ]) – Scopes to request from the App Identity API.

  • default_scopes (Sequence [ str ]) – Default scopes passed by a Google client library. Use ‘scopes’ for user-defined scopes.

  • service_account_id (str) – The service account ID passed into google.appengine.api.app_identity.get_access_token(). If not specified, the default application service account ID will be used.

  • quota_project_id (Optional [ str ]) – The project ID used for quota and billing.

Raises

EnvironmentError – If the App Engine APIs are unavailable.

refresh(request)[source]

Refreshes the access token.

Parameters

request (google.auth.transport.Request) – The object used to make HTTP requests.

Raises

google.auth.exceptions.RefreshError – If the credentials could not be refreshed.

property service_account_email

The service account email.

property requires_scopes

Checks if the credentials requires scopes.

Returns

True if there are no scopes set otherwise False.

Return type

bool

with_scopes(scopes, default_scopes=None)[source]

Create a copy of these credentials with the specified scopes.

Parameters

scopes (Sequence [ str ]) – The list of scopes to attach to the current credentials.

Raises

NotImplementedError – If the credentials’ scopes can not be changed. This can be avoided by checking requires_scopes before calling this method.

with_quota_project(quota_project_id)[source]

Returns a copy of these credentials with a modified quota project.

Parameters

quota_project_id (str) – The project to use for quota and billing purposes

Returns

A new credentials instance.

Return type

google.oauth2.credentials.Credentials

sign_bytes(message)[source]

Signs the given message.

Parameters

message (bytes) – The message to sign.

Returns

The message’s cryptographic signature.

Return type

bytes

property signer_email

An email address that identifies the signer.

Type

Optional [ str ]

property signer

The signer used to sign bytes.

Type

google.auth.crypt.Signer

apply(headers, token=None)[source]

Apply the token to the authentication header.

Parameters
  • headers (Mapping) – The HTTP request headers.

  • token (Optional [ str ]) – If specified, overrides the current access token.

before_request(request, method, url, headers)[source]

Performs credential-specific before request logic.

Refreshes the credentials if necessary, then calls apply() to apply the token to the authentication header.

Parameters
  • request (google.auth.transport.Request) – The object used to make HTTP requests.

  • method (str) – The request’s HTTP method or the RPC method being invoked.

  • url (str) – The request’s URI or the RPC service’s URI.

  • headers (Mapping) – The request’s headers.

property default_scopes

the credentials’ current set of default scopes.

Type

Sequence [ str ]

property expired

Checks if the credentials are expired.

Note that credentials can be invalid but not expired because Credentials with expiry set to None is considered to never expire.

has_scopes(scopes)

Checks if the credentials have the given scopes.

Parameters

scopes (Sequence [ str ]) – The list of scopes to check.

Returns

True if the credentials have the given scopes.

Return type

bool

property quota_project_id

Project to use for quota and billing purposes.

property scopes

the credentials’ current set of scopes.

Type

Sequence [ str ]

property valid

Checks the validity of the credentials.

This is True if the credentials have a token and the token is not expired.

token

The bearer token that can be used in HTTP headers to make authenticated requests.

Type

str

expiry

When the token expires and is no longer valid. If this is None, the token is assumed to never expire.

Type

Optional [ datetime ]