1. class
  2. Google
  3. \
  4. Auth
  5. \
  6. Credentials
  7. \
  8. ImpersonatedServiceAccountCredentials

ImpersonatedServiceAccountCredentials

class ImpersonatedServiceAccountCredentials extends CredentialsLoader implements SignBlobInterface (View source)

Traits

IamSignerTrait

Constants

TOKEN_CREDENTIAL_URI

ENV_VAR

WELL_KNOWN_PATH

NON_WINDOWS_WELL_KNOWN_PATH_BASE

MTLS_WELL_KNOWN_PATH

MTLS_CERT_ENV_VAR

Properties

protected string $impersonatedServiceAccountName
protected UserRefreshCredentials $sourceCredentials

Methods

static array|null
fromEnv()

Load a JSON key from the path specified in the environment.

from CredentialsLoader
static array|null
fromWellKnownFile()

Load a JSON key from a well known path.

from CredentialsLoader
static ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials
makeCredentials(string|string[] $scope, array $jsonKey, string|string[] $defaultScope = null)

Create a new Credentials instance.

from CredentialsLoader
static Client
makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable $httpHandler = null, callable $tokenCallback = null)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

from CredentialsLoader
static InsecureCredentials
makeInsecureCredentials()

Create a new instance of InsecureCredentials.

from CredentialsLoader
callable
getUpdateMetadataFunc() deprecated

export a callback function which updates runtime metadata.

from CredentialsLoader
array
updateMetadata(array $metadata, string $authUri = null, callable $httpHandler = null)

Updates metadata with the authorization token.

from CredentialsLoader
static callable|null
getDefaultClientCertSource()

Gets a callable which returns the default device certification.

from CredentialsLoader
static bool
shouldLoadClientCertSource()

Determines whether or not the default device certificate should be loaded.

from CredentialsLoader
string
signBlob(string $stringToSign, bool $forceOpenSsl = false, string $accessToken = null)

Sign a string using the default service account private key.

from IamSignerTrait
__construct(string|string[] $scope, string|array $jsonKey)

Instantiate an instance of ImpersonatedServiceAccountCredentials from a credentials file that has be created with the --impersonated-service-account flag.

string
getClientName(callable $unusedHttpHandler = null)

Get the client name from the keyfile

array
fetchAuthToken(callable $httpHandler = null)

No description

string
getCacheKey()

No description

null|array
getLastReceivedToken()

No description

Details

in CredentialsLoader at line 72
static array|null fromEnv()

Load a JSON key from the path specified in the environment.

Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.

Return Value

array|null JSON key | null

in CredentialsLoader at line 98
static array|null fromWellKnownFile()

Load a JSON key from a well known path.

The well known path is OS dependent:

  • windows: %APPDATA%/gcloud/application_default_credentials.json
  • others: $HOME/.config/gcloud/application_default_credentials.json

If the file does not exist, this returns null.

Return Value

array|null JSON key | null

in CredentialsLoader at line 126
static ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials makeCredentials(string|string[] $scope, array $jsonKey, string|string[] $defaultScope = null)

Create a new Credentials instance.

Parameters

string|string[] $scope the scope of the access request, expressed either as an Array or as a space-delimited String.
array $jsonKey the JSON credentials.
string|string[] $defaultScope The default scope to use if no user-defined scopes exist, expressed either as an Array or as a space-delimited string.

Return Value

ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials

in CredentialsLoader at line 162
static Client makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable $httpHandler = null, callable $tokenCallback = null)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

Parameters

FetchAuthTokenInterface $fetcher is used to fetch the auth token
array $httpClientOptions (optional) Array of request options to apply.
callable $httpHandler (optional) http client to fetch the token.
callable $tokenCallback (optional) function to be called when a new token is fetched.

Return Value

Client

in CredentialsLoader at line 187
static InsecureCredentials makeInsecureCredentials()

Create a new instance of InsecureCredentials.

Return Value

InsecureCredentials

in CredentialsLoader at line 198
callable getUpdateMetadataFunc() deprecated

deprecated

export a callback function which updates runtime metadata.

Return Value

callable updateMetadata function

in CredentialsLoader at line 211
array updateMetadata(array $metadata, string $authUri = null, callable $httpHandler = null)

Updates metadata with the authorization token.

Parameters

array $metadata metadata hashmap
string $authUri optional auth uri
callable $httpHandler callback which delivers psr7 request

Return Value

array updated metadata hashmap

in CredentialsLoader at line 236
static callable|null getDefaultClientCertSource()

Gets a callable which returns the default device certification.

Return Value

callable|null

Exceptions

UnexpectedValueException

in CredentialsLoader at line 261
static bool shouldLoadClientCertSource()

Determines whether or not the default device certificate should be loaded.

Return Value

bool

in IamSignerTrait at line 48
string signBlob(string $stringToSign, bool $forceOpenSsl = false, string $accessToken = null)

Sign a string using the default service account private key.

This implementation uses IAM's signBlob API.

Parameters

string $stringToSign The string to sign.
bool $forceOpenSsl [optional] Does not apply to this credentials type.
string $accessToken The access token to use to sign the blob. If provided, saves a call to the metadata server for a new access token. Defaults to null.

Return Value

string

Exceptions

Exception

See also

https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/signBlob SignBlob

at line 48
__construct(string|string[] $scope, string|array $jsonKey)

Instantiate an instance of ImpersonatedServiceAccountCredentials from a credentials file that has be created with the --impersonated-service-account flag.

Parameters

string|string[] $scope the scope of the access request, expressed either as an Array or as a space-delimited String.
string|array $jsonKey JSON credential file path or JSON credentials as an associative array

at line 94
string getClientName(callable $unusedHttpHandler = null)

Get the client name from the keyfile

In this implementation, it will return the issuers email from the oauth token.

Parameters

callable $unusedHttpHandler callback which delivers psr7 request, if one is required to obtain a client name.

Return Value

string

at line 112
array fetchAuthToken(callable $httpHandler = null)

Parameters

callable $httpHandler callback which delivers psr7 request

Return Value

array a hash of auth tokens

at line 120
string getCacheKey()

Return Value

string a key that may be used to cache the auth token.

at line 128
null|array getLastReceivedToken()

Return Value

null|array { The last received access token.

@type string $access_token The access token string.
@type int $expires_at The time the token expires as a UNIX timestamp.

}