1. class
  2. Google
  3. \
  4. Auth
  5. \
  6. Credentials
  7. \
  8. ServiceAccountCredentials

ServiceAccountCredentials

class ServiceAccountCredentials extends CredentialsLoader implements GetQuotaProjectInterface, SignBlobInterface, ProjectIdProviderInterface (View source)

ServiceAccountCredentials supports authorization using a Google service account.

(cf https://developers.google.com/accounts/docs/OAuth2ServiceAccount)

It's initialized using the json key file that's downloadable from developer console, which should contain a private_key and client_email fields that it uses.

Use it with AuthTokenMiddleware to authorize http requests:

use Google\Auth\Credentials\ServiceAccountCredentials; use Google\Auth\Middleware\AuthTokenMiddleware; use GuzzleHttp\Client; use GuzzleHttp\HandlerStack;

$sa = new ServiceAccountCredentials( 'https://www.googleapis.com/auth/taskqueue', '/path/to/your/json/key_file.json' ); $middleware = new AuthTokenMiddleware($sa); $stack = HandlerStack::create(); $stack->push($middleware);

$client = new Client([ 'handler' => $stack, 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', 'auth' => 'google_auth' // authorize all requests ]);

$res = $client->get('myproject/taskqueues/myqueue');

Traits

ServiceAccountSignerTrait
Sign a string using a Service Account private key.

Constants

TOKEN_CREDENTIAL_URI

ENV_VAR

WELL_KNOWN_PATH

NON_WINDOWS_WELL_KNOWN_PATH_BASE

MTLS_WELL_KNOWN_PATH

MTLS_CERT_ENV_VAR

Properties

protected OAuth2 $auth The OAuth2 instance used to conduct authorization.
protected string $quotaProject The quota project associated with the JSON credentials
protected string|null $projectId

Methods

static array|null
fromEnv()

Load a JSON key from the path specified in the environment.

from CredentialsLoader
static array|null
fromWellKnownFile()

Load a JSON key from a well known path.

from CredentialsLoader
static ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials
makeCredentials(string|string[] $scope, array $jsonKey, string|string[] $defaultScope = null)

Create a new Credentials instance.

from CredentialsLoader
static Client
makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable $httpHandler = null, callable $tokenCallback = null)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

from CredentialsLoader
static InsecureCredentials
makeInsecureCredentials()

Create a new instance of InsecureCredentials.

from CredentialsLoader
callable
getUpdateMetadataFunc() deprecated

export a callback function which updates runtime metadata.

from CredentialsLoader
array
updateMetadata(array $metadata, string $authUri = null, callable $httpHandler = null)

Updates metadata with the authorization token.

static callable|null
getDefaultClientCertSource()

Gets a callable which returns the default device certification.

from CredentialsLoader
static bool
shouldLoadClientCertSource()

Determines whether or not the default device certificate should be loaded.

from CredentialsLoader
string
signBlob(string $stringToSign, bool $forceOpenssl = false)

Sign a string using the service account private key.

from ServiceAccountSignerTrait
__construct(string|string[]|null $scope, string|array $jsonKey, string $sub = null, string $targetAudience = null)

Create a new ServiceAccountCredentials.

void
useJwtAccessWithScope()

When called, the ServiceAccountCredentials will use an instance of ServiceAccountJwtAccessCredentials to fetch (self-sign) an access token even when only scopes are supplied. Otherwise, ServiceAccountJwtAccessCredentials is only called when no scopes and an authUrl (audience) is suppled.

array
fetchAuthToken(callable $httpHandler = null)

No description

string
getCacheKey()

No description

null|array
getLastReceivedToken()

No description

string|null
getProjectId(callable $httpHandler = null)

Get the project ID from the service account keyfile.

void
setSub(string $sub)

No description

string
getClientName(callable $httpHandler = null)

Get the client name from the keyfile.

string|null
getQuotaProject()

Get the quota project used for this API request

Details

in CredentialsLoader at line 72
static array|null fromEnv()

Load a JSON key from the path specified in the environment.

Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.

Return Value

array|null JSON key | null

in CredentialsLoader at line 98
static array|null fromWellKnownFile()

Load a JSON key from a well known path.

The well known path is OS dependent:

  • windows: %APPDATA%/gcloud/application_default_credentials.json
  • others: $HOME/.config/gcloud/application_default_credentials.json

If the file does not exist, this returns null.

Return Value

array|null JSON key | null

in CredentialsLoader at line 126
static ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials makeCredentials(string|string[] $scope, array $jsonKey, string|string[] $defaultScope = null)

Create a new Credentials instance.

Parameters

string|string[] $scope the scope of the access request, expressed either as an Array or as a space-delimited String.
array $jsonKey the JSON credentials.
string|string[] $defaultScope The default scope to use if no user-defined scopes exist, expressed either as an Array or as a space-delimited string.

Return Value

ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials

in CredentialsLoader at line 162
static Client makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable $httpHandler = null, callable $tokenCallback = null)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

Parameters

FetchAuthTokenInterface $fetcher is used to fetch the auth token
array $httpClientOptions (optional) Array of request options to apply.
callable $httpHandler (optional) http client to fetch the token.
callable $tokenCallback (optional) function to be called when a new token is fetched.

Return Value

Client

in CredentialsLoader at line 187
static InsecureCredentials makeInsecureCredentials()

Create a new instance of InsecureCredentials.

Return Value

InsecureCredentials

in CredentialsLoader at line 198
callable getUpdateMetadataFunc() deprecated

deprecated

export a callback function which updates runtime metadata.

Return Value

callable updateMetadata function

at line 254
array updateMetadata(array $metadata, string $authUri = null, callable $httpHandler = null)

Updates metadata with the authorization token.

Parameters

array $metadata metadata hashmap
string $authUri optional auth uri
callable $httpHandler callback which delivers psr7 request

Return Value

array updated metadata hashmap

in CredentialsLoader at line 236
static callable|null getDefaultClientCertSource()

Gets a callable which returns the default device certification.

Return Value

callable|null

Exceptions

UnexpectedValueException

in CredentialsLoader at line 261
static bool shouldLoadClientCertSource()

Determines whether or not the default device certificate should be loaded.

Return Value

bool

in ServiceAccountSignerTrait at line 35
string signBlob(string $stringToSign, bool $forceOpenssl = false)

Sign a string using the service account private key.

Parameters

string $stringToSign
bool $forceOpenssl Whether to use OpenSSL regardless of whether phpseclib is installed. Defaults to false.

Return Value

string

at line 113
__construct(string|string[]|null $scope, string|array $jsonKey, string $sub = null, string $targetAudience = null)

Create a new ServiceAccountCredentials.

Parameters

string|string[]|null $scope the scope of the access request, expressed either as an Array or as a space-delimited String.
string|array $jsonKey JSON credential file path or JSON credentials as an associative array
string $sub an email address account to impersonate, in situations when the service account has been delegated domain wide access.
string $targetAudience The audience for the ID token.

at line 175
void useJwtAccessWithScope()

When called, the ServiceAccountCredentials will use an instance of ServiceAccountJwtAccessCredentials to fetch (self-sign) an access token even when only scopes are supplied. Otherwise, ServiceAccountJwtAccessCredentials is only called when no scopes and an authUrl (audience) is suppled.

Return Value

void

at line 191
array fetchAuthToken(callable $httpHandler = null)

Parameters

callable $httpHandler callback which delivers psr7 request

Return Value

array a hash of auth tokens

at line 211
string getCacheKey()

Return Value

string a key that may be used to cache the auth token.

at line 224
null|array getLastReceivedToken()

Return Value

null|array { The last received access token.

@type string $access_token The access token string.
@type int $expires_at The time the token expires as a UNIX timestamp.

}

at line 241
string|null getProjectId(callable $httpHandler = null)

Get the project ID from the service account keyfile.

Returns null if the project ID does not exist in the keyfile.

Parameters

callable $httpHandler Callback which delivers psr7 request

Return Value

string|null

at line 305
void setSub(string $sub)

Parameters

string $sub an email address account to impersonate, in situations when the service account has been delegated domain wide access.

Return Value

void

at line 318
string getClientName(callable $httpHandler = null)

Get the client name from the keyfile.

In this case, it returns the keyfile's client_email key.

Parameters

callable $httpHandler callback which delivers psr7 request, if one is required to obtain a client name.

Return Value

string

at line 328
string|null getQuotaProject()

Get the quota project used for this API request

Return Value

string|null