Module: Google::Auth::ExternalAccount::BaseCredentials

Includes:
BaseClient, Helpers::Connection
Included in:
AwsCredentials, IdentityPoolCredentials, PluggableAuthCredentials
Defined in:
lib/googleauth/external_account/base_credentials.rb

Overview

Authenticates requests using External Account credentials, such as those provided by the AWS provider or OIDC provider like Azure, etc.

Constant Summary collapse

EXTERNAL_ACCOUNT_JSON_TYPE =

External account JSON type identifier.

"external_account".freeze
STS_GRANT_TYPE =

The token exchange grant_type used for exchanging credentials.

"urn:ietf:params:oauth:grant-type:token-exchange".freeze
STS_REQUESTED_TOKEN_TYPE =

The token exchange requested_token_type. This is always an access_token.

"urn:ietf:params:oauth:token-type:access_token".freeze
IAM_SCOPE =

Default IAM_SCOPE

["https://www.googleapis.com/auth/iam".freeze].freeze

Constants included from BaseClient

BaseClient::AUTH_METADATA_KEY

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Helpers::Connection

connection

Methods included from BaseClient

#apply, #apply!, #needs_access_token?, #notify_refresh_listeners, #on_refresh, #updater_proc

Instance Attribute Details

#access_tokenObject

Returns the value of attribute access_token.



44
45
46
 
# File 'lib/googleauth/external_account/base_credentials.rb', line 44

def access_token
  @access_token
end

#expires_atObject

Returns the value of attribute expires_at.



43
44
45
 
# File 'lib/googleauth/external_account/base_credentials.rb', line 43

def expires_at
  @expires_at
end

#universe_domainObject

Returns the value of attribute universe_domain.



45
46
47
 
# File 'lib/googleauth/external_account/base_credentials.rb', line 45

def universe_domain
  @universe_domain
end

Instance Method Details

#expires_within?(seconds) ⇒ Boolean

Returns:

  • (Boolean) 


47
48
49
50
 
# File 'lib/googleauth/external_account/base_credentials.rb', line 47

def expires_within? seconds
  # This method is needed for BaseClient
  @expires_at && @expires_at - Time.now.utc < seconds
end

#fetch_access_token!(_options = {}) ⇒ Object 



56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
 
# File 'lib/googleauth/external_account/base_credentials.rb', line 56

def fetch_access_token! _options = {}
  # This method is needed for BaseClient
  response = exchange_token

  if @service_account_impersonation_url
    impersonated_response = get_impersonated_access_token response["access_token"]
    self.expires_at = impersonated_response["expireTime"]
    self.access_token = impersonated_response["accessToken"]
  else
    # Extract the expiration time in seconds from the response and calculate the actual expiration time
    # and then save that to the expiry variable.
    self.expires_at = Time.now.utc + response["expires_in"].to_i
    self.access_token = response["access_token"]
  end

  notify_refresh_listeners
end

#is_workforce_pool?bool

Returns whether the credentials represent a workforce pool (True) or workload (False) based on the credentials' audience.

Returns:

  • (bool)

    true if the credentials represent a workforce pool. false if they represent a workload.



88
89
90
 
# File 'lib/googleauth/external_account/base_credentials.rb', line 88

def is_workforce_pool?
  %r{/iam\.googleapis\.com/locations/[^/]+/workforcePools/}.match?(@audience || "")
end

#retrieve_subject_token!string

Retrieves the subject token using the credential_source object.

Returns:

  • (string)

    The retrieved subject token.

Raises:

  • (NotImplementedError) 


78
79
80
 
# File 'lib/googleauth/external_account/base_credentials.rb', line 78

def retrieve_subject_token!
  raise NotImplementedError
end