Module: Google::Auth::ExternalAccount::ExternalAccountUtils

Included in:

AwsCredentials, IdentityPoolCredentials, PluggableAuthCredentials

Defined in:

lib/googleauth/external_account/external_account_utils.rb

Overview

Authenticates requests using External Account credentials, such as those provided by the AWS provider or OIDC provider like Azure, etc.

Constant Summary

CLOUD_RESOURCE_MANAGER =

Cloud resource manager URL used to retrieve project information.

"https://cloudresourcemanager.googleapis.com/v1/projects/".freeze

Instance Method Summary

• #normalize_timestamp(time) ⇒ Object
• #project_id ⇒ string^?

  Retrieves the project ID corresponding to the workload identity or workforce pool.

• #project_number ⇒ string^?

  Retrieve the project number corresponding to workload identity pool STS audience pattern: //iam.googleapis.com/projects/$PROJECT_NUMBER/locations/....

• #service_account_email ⇒ Object

Instance Method Details

#normalize_timestamp(time) ⇒ Object

# File 'lib/googleauth/external_account/external_account_utils.rb', line 77

def normalize_timestamp time
  case time
  when NilClass
    nil
  when Time
    time
  when String
    Time.parse time
  else
    raise "Invalid time value #{time}"
  end
end

#project_id ⇒ string^?

Retrieves the project ID corresponding to the workload identity or workforce pool. For workforce pool credentials, it returns the project ID corresponding to the workforce_pool_user_project. When not determinable, None is returned.

The resource may not have permission (resourcemanager.projects.get) to call this API or the required scopes may not be selected: https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes

Returns:

• (string, nil) —

  The project ID corresponding to the workload identity pool or workforce pool if determinable.

# File 'lib/googleauth/external_account/external_account_utils.rb', line 42

def project_id
  return @project_id unless @project_id.nil?
  project_number = self.project_number || @workforce_pool_user_project

  # if we missing either project number or scope, we won't retrieve project_id
  return nil if project_number.nil? || @scope.nil?

  url = "#{CLOUD_RESOURCE_MANAGER}#{project_number}"
  response = connection.get url do |req|
    req.headers["Authorization"] = "Bearer #{@access_token}"
    req.headers["Content-Type"] = "application/json"
  end

  if response.status == 200
    response_data = MultiJson.load response.body, symbolize_names: true
    @project_id = response_data[:projectId]
  end

  @project_id
end

#project_number ⇒ string^?

Retrieve the project number corresponding to workload identity pool STS audience pattern: //iam.googleapis.com/projects/$PROJECT_NUMBER/locations/...

Returns:

• (string, nil)

# File 'lib/googleauth/external_account/external_account_utils.rb', line 70

def project_number
  segments = @audience.split "/"
  idx = segments.index "projects"
  return nil if idx.nil? || idx + 1 == segments.size
  segments[idx + 1]
end

#service_account_email ⇒ Object

# File 'lib/googleauth/external_account/external_account_utils.rb', line 90

def service_account_email
  return nil if @service_account_impersonation_url.nil?
  start_idx = @service_account_impersonation_url.rindex "/"
  end_idx = @service_account_impersonation_url.index ":generateAccessToken"
  if start_idx != -1 && end_idx != -1 && start_idx < end_idx
    start_idx += 1
    return @service_account_impersonation_url[start_idx..end_idx]
  end
  nil
end