class ImpersonatedServiceAccountCredentials extends CredentialsLoader implements SignBlobInterface (View source)

Traits

Constants

TOKEN_CREDENTIAL_URI

ENV_VAR

WELL_KNOWN_PATH

NON_WINDOWS_WELL_KNOWN_PATH_BASE

MTLS_WELL_KNOWN_PATH

MTLS_CERT_ENV_VAR

Properties

protected string $impersonatedServiceAccountName
protected UserRefreshCredentials $sourceCredentials

Methods

static array|null
fromEnv()

Load a JSON key from the path specified in the environment.

static array|null
fromWellKnownFile()

Load a JSON key from a well known path.

makeCredentials(string|string[] $scope, array $jsonKey, string|string[] $defaultScope = null)

Create a new Credentials instance.

static Client
makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable $httpHandler = null, callable $tokenCallback = null)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

makeInsecureCredentials()

Create a new instance of InsecureCredentials.

callable
getUpdateMetadataFunc() deprecated

export a callback function which updates runtime metadata.

array
updateMetadata(array $metadata, string $authUri = null, callable $httpHandler = null)

Updates metadata with the authorization token.

static callable|null
getDefaultClientCertSource()

Gets a callable which returns the default device certification.

static bool
shouldLoadClientCertSource()

Determines whether or not the default device certificate should be loaded.

string
signBlob(string $stringToSign, bool $forceOpenSsl = false, string $accessToken = null)

Sign a string using the default service account private key.

__construct(string|string[] $scope, string|array $jsonKey)

Instantiate an instance of ImpersonatedServiceAccountCredentials from a credentials file that has be created with the --impersonated-service-account flag.

string
getClientName(callable $unusedHttpHandler = null)

Get the client name from the keyfile

array
fetchAuthToken(callable $httpHandler = null)

No description

string
getCacheKey()

No description

null|array
getLastReceivedToken()

No description

Details

static array|null fromEnv()

Load a JSON key from the path specified in the environment.

Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.

Return Value

array|null

JSON key | null

static array|null fromWellKnownFile()

Load a JSON key from a well known path.

The well known path is OS dependent:

  • windows: %APPDATA%/gcloud/application_default_credentials.json
  • others: $HOME/.config/gcloud/application_default_credentials.json

If the file does not exist, this returns null.

Return Value

array|null

JSON key | null

static ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials makeCredentials(string|string[] $scope, array $jsonKey, string|string[] $defaultScope = null)

Create a new Credentials instance.

Parameters

string|string[] $scope

the scope of the access request, expressed either as an Array or as a space-delimited String.

array $jsonKey

the JSON credentials.

string|string[] $defaultScope

The default scope to use if no user-defined scopes exist, expressed either as an Array or as a space-delimited string.

Return Value

ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials

static Client makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable $httpHandler = null, callable $tokenCallback = null)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

Parameters

FetchAuthTokenInterface $fetcher

is used to fetch the auth token

array $httpClientOptions

(optional) Array of request options to apply.

callable $httpHandler

(optional) http client to fetch the token.

callable $tokenCallback

(optional) function to be called when a new token is fetched.

Return Value

Client

static InsecureCredentials makeInsecureCredentials()

Create a new instance of InsecureCredentials.

Return Value

InsecureCredentials

callable getUpdateMetadataFunc() deprecated

deprecated

export a callback function which updates runtime metadata.

Return Value

callable

updateMetadata function

array updateMetadata(array $metadata, string $authUri = null, callable $httpHandler = null)

Updates metadata with the authorization token.

Parameters

array $metadata

metadata hashmap

string $authUri

optional auth uri

callable $httpHandler

callback which delivers psr7 request

Return Value

array

updated metadata hashmap

static callable|null getDefaultClientCertSource()

Gets a callable which returns the default device certification.

Return Value

callable|null

Exceptions

UnexpectedValueException

static bool shouldLoadClientCertSource()

Determines whether or not the default device certificate should be loaded.

Return Value

bool

string signBlob(string $stringToSign, bool $forceOpenSsl = false, string $accessToken = null)

Sign a string using the default service account private key.

This implementation uses IAM's signBlob API.

Parameters

string $stringToSign

The string to sign.

bool $forceOpenSsl

[optional] Does not apply to this credentials type.

string $accessToken

The access token to use to sign the blob. If provided, saves a call to the metadata server for a new access token. Defaults to null.

Return Value

string

Exceptions

Exception

See also

https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/signBlob SignBlob

__construct(string|string[] $scope, string|array $jsonKey)

Instantiate an instance of ImpersonatedServiceAccountCredentials from a credentials file that has be created with the --impersonated-service-account flag.

Parameters

string|string[] $scope

the scope of the access request, expressed either as an Array or as a space-delimited String.

string|array $jsonKey

JSON credential file path or JSON credentials as an associative array

string getClientName(callable $unusedHttpHandler = null)

Get the client name from the keyfile

In this implementation, it will return the issuers email from the oauth token.

Parameters

callable $unusedHttpHandler

not used by this credentials type.

Return Value

string

array fetchAuthToken(callable $httpHandler = null)

No description

Parameters

callable $httpHandler

callback which delivers psr7 request

Return Value

array

a hash of auth tokens

string getCacheKey()

No description

Return Value

string

a key that may be used to cache the auth token.

null|array getLastReceivedToken()

No description

Return Value

null|array

{ The last received access token.

@type string $access_token The access token string.
@type int $expires_at The time the token expires as a UNIX timestamp.

}