google.auth.compute_engine package

Google Compute Engine authentication.

class Credentials(service_account_email='default', quota_project_id=None, scopes=None, default_scopes=None)[source]

Bases: google.auth.credentials.Scoped, google.auth.credentials.CredentialsWithQuotaProject

Compute Engine Credentials.

These credentials use the Google Compute Engine metadata server to obtain OAuth 2.0 access tokens associated with the instance’s service account, and are also used for Cloud Run, Flex and App Engine (except for the Python 2.7 runtime, which is supported only on older versions of this library).

For more information about Compute Engine authentication, including how to configure scopes, see the Compute Engine authentication documentation.

Note

On Compute Engine the metadata server ignores requested scopes. On Cloud Run, Flex and App Engine the server honours requested scopes.

Parameters
  • service_account_email (str) – The service account email to use, or ‘default’. A Compute Engine instance may have multiple service accounts.

  • quota_project_id (Optional [ str ]) – The project ID used for quota and billing.

  • scopes (Optional [ Sequence [ str ] ]) – The list of scopes for the credentials.

  • default_scopes (Optional [ Sequence [ str ] ]) – Default scopes passed by a Google client library. Use ‘scopes’ for user-defined scopes.

refresh(request)[source]

Refresh the access token and scopes.

Parameters

request (google.auth.transport.Request) – The object used to make HTTP requests.

Raises

google.auth.exceptions.RefreshError – If the Compute Engine metadata service can’t be reached if if the instance has not credentials.

property service_account_email

The service account email.

Note

This is not guaranteed to be set until refresh() has been called.

property requires_scopes

True if these credentials require scopes to obtain an access token.

with_quota_project(quota_project_id)[source]

Returns a copy of these credentials with a modified quota project.

Parameters

quota_project_id (str) – The project to use for quota and billing purposes

Returns

A new credentials instance.

Return type

google.oauth2.credentials.Credentials

with_scopes(scopes, default_scopes=None)[source]

Create a copy of these credentials with the specified scopes.

Parameters

scopes (Sequence [ str ]) – The list of scopes to attach to the current credentials.

Raises

NotImplementedError – If the credentials’ scopes can not be changed. This can be avoided by checking requires_scopes before calling this method.

apply(headers, token=None)[source]

Apply the token to the authentication header.

Parameters
  • headers (Mapping) – The HTTP request headers.

  • token (Optional [ str ]) – If specified, overrides the current access token.

before_request(request, method, url, headers)[source]

Performs credential-specific before request logic.

Refreshes the credentials if necessary, then calls apply() to apply the token to the authentication header.

Parameters
  • request (google.auth.transport.Request) – The object used to make HTTP requests.

  • method (str) – The request’s HTTP method or the RPC method being invoked.

  • url (str) – The request’s URI or the RPC service’s URI.

  • headers (Mapping) – The request’s headers.

property default_scopes

the credentials’ current set of default scopes.

Type

Sequence [ str ]

property expired

Checks if the credentials are expired.

Note that credentials can be invalid but not expired because Credentials with expiry set to None is considered to never expire.

has_scopes(scopes)

Checks if the credentials have the given scopes.

Parameters

scopes (Sequence [ str ]) – The list of scopes to check.

Returns

True if the credentials have the given scopes.

Return type

bool

property quota_project_id

Project to use for quota and billing purposes.

property scopes

the credentials’ current set of scopes.

Type

Sequence [ str ]

property valid

Checks the validity of the credentials.

This is True if the credentials have a token and the token is not expired.

token

The bearer token that can be used in HTTP headers to make authenticated requests.

Type

str

expiry

When the token expires and is no longer valid. If this is None, the token is assumed to never expire.

Type

Optional [ datetime ]

class IDTokenCredentials(request, target_audience, token_uri=None, additional_claims=None, service_account_email=None, signer=None, use_metadata_identity_endpoint=False, quota_project_id=None)[source]

Bases: google.auth.credentials.CredentialsWithQuotaProject, google.auth.credentials.Signing

Open ID Connect ID Token-based service account credentials.

These credentials relies on the default service account of a GCE instance.

ID token can be requested from GCE metadata server identity endpoint, IAM token endpoint or other token endpoints you specify. If metadata server identity endpoint is not used, the GCE instance must have been started with a service account that has access to the IAM Cloud API.

Parameters
  • request (google.auth.transport.Request) – The object used to make HTTP requests.

  • target_audience (str) – The intended audience for these credentials, used when requesting the ID Token. The ID Token’s aud claim will be set to this string.

  • token_uri (str) – The OAuth 2.0 Token URI.

  • additional_claims (Mapping [ str, str ]) – Any additional claims for the JWT assertion used in the authorization grant.

  • service_account_email (str) – Optional explicit service account to use to sign JWT tokens. By default, this is the default GCE service account.

  • signer (google.auth.crypt.Signer) – The signer used to sign JWTs. In case the signer is specified, the request argument will be ignored.

  • use_metadata_identity_endpoint (bool) – Whether to use GCE metadata identity endpoint. For backward compatibility the default value is False. If set to True, token_uri, additional_claims, service_account_email, signer argument should not be set; otherwise ValueError will be raised.

  • quota_project_id (Optional [ str ]) – The project ID used for quota and billing.

Raises

ValueError – If use_metadata_identity_endpoint is set to True, and one of token_uri, additional_claims, service_account_email, signer arguments is set.

with_target_audience(target_audience)[source]

Create a copy of these credentials with the specified target audience. :param target_audience: The intended audience for these credentials, :type target_audience: str :param used when requesting the ID Token.:

Returns

A new credentials

instance.

Return type

google.auth.service_account.IDTokenCredentials

with_quota_project(quota_project_id)[source]

Returns a copy of these credentials with a modified quota project.

Parameters

quota_project_id (str) – The project to use for quota and billing purposes

Returns

A new credentials instance.

Return type

google.oauth2.credentials.Credentials

apply(headers, token=None)

Apply the token to the authentication header.

Parameters
  • headers (Mapping) – The HTTP request headers.

  • token (Optional [ str ]) – If specified, overrides the current access token.

before_request(request, method, url, headers)

Performs credential-specific before request logic.

Refreshes the credentials if necessary, then calls apply() to apply the token to the authentication header.

Parameters
  • request (google.auth.transport.Request) – The object used to make HTTP requests.

  • method (str) – The request’s HTTP method or the RPC method being invoked.

  • url (str) – The request’s URI or the RPC service’s URI.

  • headers (Mapping) – The request’s headers.

property expired

Checks if the credentials are expired.

Note that credentials can be invalid but not expired because Credentials with expiry set to None is considered to never expire.

property quota_project_id

Project to use for quota and billing purposes.

refresh(request)[source]

Refreshes the ID token.

Parameters

request (google.auth.transport.Request) – The object used to make HTTP requests.

Raises
property valid

Checks the validity of the credentials.

This is True if the credentials have a token and the token is not expired.

token

The bearer token that can be used in HTTP headers to make authenticated requests.

Type

str

expiry

When the token expires and is no longer valid. If this is None, the token is assumed to never expire.

Type

Optional [ datetime ]

property signer

The signer used to sign bytes.

Type

google.auth.crypt.Signer

sign_bytes(message)[source]

Signs the given message.

Parameters

message (bytes) – The message to sign.

Returns

The message’s cryptographic signature.

Return type

bytes

Raises

ValueError – Signer is not available if metadata identity endpoint is used.

property service_account_email

The service account email.

property signer_email

An email address that identifies the signer.

Type

Optional [ str ]

Submodules