class ServiceAccountCredentials extends CredentialsLoader implements GetQuotaProjectInterface, SignBlobInterface, ProjectIdProviderInterface (View source)

ServiceAccountCredentials supports authorization using a Google service account.

(cf https://developers.google.com/accounts/docs/OAuth2ServiceAccount)

It's initialized using the json key file that's downloadable from developer console, which should contain a private_key and client_email fields that it uses.

Use it with AuthTokenMiddleware to authorize http requests:

use Google\Auth\Credentials\ServiceAccountCredentials; use Google\Auth\Middleware\AuthTokenMiddleware; use GuzzleHttp\Client; use GuzzleHttp\HandlerStack;

$sa = new ServiceAccountCredentials( 'https://www.googleapis.com/auth/taskqueue', '/path/to/your/json/key_file.json' ); $middleware = new AuthTokenMiddleware($sa); $stack = HandlerStack::create(); $stack->push($middleware);

$client = new Client([ 'handler' => $stack, 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', 'auth' => 'google_auth' // authorize all requests ]);

$res = $client->get('myproject/taskqueues/myqueue');

Traits

Sign a string using a Service Account private key.

Constants

TOKEN_CREDENTIAL_URI

ENV_VAR

WELL_KNOWN_PATH

NON_WINDOWS_WELL_KNOWN_PATH_BASE

Properties

protected OAuth2 $auth The OAuth2 instance used to conduct authorization.
protected string $quotaProject The quota project associated with the JSON credentials
protected $projectId

Methods

static array|null
fromEnv()

Load a JSON key from the path specified in the environment.

static array|null
fromWellKnownFile()

Load a JSON key from a well known path.

makeCredentials(string|array $scope, array $jsonKey, string|array $defaultScope = null)

Create a new Credentials instance.

static Client
makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable $httpHandler = null, callable $tokenCallback = null)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

makeInsecureCredentials()

Create a new instance of InsecureCredentials.

array
getUpdateMetadataFunc() deprecated

export a callback function which updates runtime metadata.

array
updateMetadata(array $metadata, string $authUri = null, callable $httpHandler = null)

Updates metadata with the authorization token.

string
signBlob(string $stringToSign, bool $forceOpenssl = false)

Sign a string using the service account private key.

__construct(string|array $scope, string|array $jsonKey, string $sub = null, string $targetAudience = null)

Create a new ServiceAccountCredentials.

useJwtAccessWithScope()

When called, the ServiceAccountCredentials will use an instance of ServiceAccountJwtAccessCredentials to fetch (self-sign) an access token even when only scopes are supplied. Otherwise, ServiceAccountJwtAccessCredentials is only called when no scopes and an authUrl (audience) is suppled.

array
fetchAuthToken(callable $httpHandler = null)

No description

string
getCacheKey()

No description

null|array
getLastReceivedToken()

No description

string|null
getProjectId(callable $httpHandler = null)

Get the project ID from the service account keyfile.

setSub(string $sub)

No description

string
getClientName(callable $httpHandler = null)

Get the client name from the keyfile.

string|null
getQuotaProject()

Get the quota project used for this API request

Details

static array|null fromEnv()

Load a JSON key from the path specified in the environment.

Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.

Return Value

array|null JSON key | null

static array|null fromWellKnownFile()

Load a JSON key from a well known path.

The well known path is OS dependent:

  • windows: %APPDATA%/gcloud/application_default_credentials.json
  • others: $HOME/.config/gcloud/application_default_credentials.json

If the file does not exist, this returns null.

Return Value

array|null JSON key | null

static ServiceAccountCredentials|UserRefreshCredentials makeCredentials(string|array $scope, array $jsonKey, string|array $defaultScope = null)

Create a new Credentials instance.

Parameters

string|array $scope the scope of the access request, expressed either as an Array or as a space-delimited String.
array $jsonKey the JSON credentials.
string|array $defaultScope The default scope to use if no user-defined scopes exist, expressed either as an Array or as a space-delimited string.

Return Value

ServiceAccountCredentials|UserRefreshCredentials

static Client makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable $httpHandler = null, callable $tokenCallback = null)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

Parameters

FetchAuthTokenInterface $fetcher is used to fetch the auth token
array $httpClientOptions (optional) Array of request options to apply.
callable $httpHandler (optional) http client to fetch the token.
callable $tokenCallback (optional) function to be called when a new token is fetched.

Return Value

Client

static InsecureCredentials makeInsecureCredentials()

Create a new instance of InsecureCredentials.

Return Value

InsecureCredentials

array getUpdateMetadataFunc() deprecated

deprecated

export a callback function which updates runtime metadata.

Return Value

array updateMetadata function

array updateMetadata(array $metadata, string $authUri = null, callable $httpHandler = null)

Updates metadata with the authorization token.

Parameters

array $metadata metadata hashmap
string $authUri optional auth uri
callable $httpHandler callback which delivers psr7 request

Return Value

array updated metadata hashmap

string signBlob(string $stringToSign, bool $forceOpenssl = false)

Sign a string using the service account private key.

Parameters

string $stringToSign
bool $forceOpenssl Whether to use OpenSSL regardless of whether phpseclib is installed. Defaults to false.

Return Value

string

__construct(string|array $scope, string|array $jsonKey, string $sub = null, string $targetAudience = null)

Create a new ServiceAccountCredentials.

Parameters

string|array $scope the scope of the access request, expressed either as an Array or as a space-delimited String.
string|array $jsonKey JSON credential file path or JSON credentials as an associative array
string $sub an email address account to impersonate, in situations when the service account has been delegated domain wide access.
string $targetAudience The audience for the ID token.

useJwtAccessWithScope()

When called, the ServiceAccountCredentials will use an instance of ServiceAccountJwtAccessCredentials to fetch (self-sign) an access token even when only scopes are supplied. Otherwise, ServiceAccountJwtAccessCredentials is only called when no scopes and an authUrl (audience) is suppled.

array fetchAuthToken(callable $httpHandler = null)

Parameters

callable $httpHandler callback which delivers psr7 request

Return Value

array a hash of auth tokens

string getCacheKey()

Return Value

string a key that may be used to cache the auth token.

null|array getLastReceivedToken()

Return Value

null|array { The last received access token.

string|null getProjectId(callable $httpHandler = null)

Get the project ID from the service account keyfile.

Returns null if the project ID does not exist in the keyfile.

Parameters

callable $httpHandler Callback which delivers psr7 request

Return Value

string|null

setSub(string $sub)

Parameters

string $sub an email address account to impersonate, in situations when the service account has been delegated domain wide access.

string getClientName(callable $httpHandler = null)

Get the client name from the keyfile.

In this case, it returns the keyfile's client_email key.

Parameters

callable $httpHandler callback which delivers psr7 request, if one is required to obtain a client name.

Return Value

string

string|null getQuotaProject()

Get the quota project used for this API request

Return Value

string|null