class ImpersonatedServiceAccountCredentials extends CredentialsLoader implements SignBlobInterface (View source)

Traits

Provides shared methods for updating request metadata (request headers).

Trait containing helper methods required for enabling observability metrics in the library.

Constants

TOKEN_CREDENTIAL_URI

ENV_VAR

QUOTA_PROJECT_ENV_VAR

WELL_KNOWN_PATH

NON_WINDOWS_WELL_KNOWN_PATH_BASE

MTLS_WELL_KNOWN_PATH

MTLS_CERT_ENV_VAR

private CRED_TYPE

Properties

static protected string $metricMetadataKey from  MetricsTrait
protected string $impersonatedServiceAccountName
protected UserRefreshCredentials $sourceCredentials

Methods

static string
getMetricsHeader(string $credType = '', string $authRequestType = '')

No description

array
applyServiceApiUsageMetrics(array $metadata)

No description

array
applyTokenEndpointMetrics(array $metadata, string $authRequestType)

No description

static string
getVersion()

No description

string
getCredType()

No description

callable
getUpdateMetadataFunc() deprecated

export a callback function which updates runtime metadata.

array
updateMetadata(array $metadata, string $authUri = null, callable|null $httpHandler = null)

Updates metadata with the authorization token.

static array|null
fromEnv()

Load a JSON key from the path specified in the environment.

static array|null
fromWellKnownFile()

Load a JSON key from a well known path.

makeCredentials(string|string[] $scope, array $jsonKey, string|string[] $defaultScope = null)

Create a new Credentials instance.

static Client
makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable|null $httpHandler = null, callable|null $tokenCallback = null)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

makeInsecureCredentials()

Create a new instance of InsecureCredentials.

static string|null
quotaProjectFromEnv()

Fetch a quota project from the environment variable GOOGLE_CLOUD_QUOTA_PROJECT. Return null if GOOGLE_CLOUD_QUOTA_PROJECT is not specified.

static callable|null
getDefaultClientCertSource()

Gets a callable which returns the default device certification.

static bool
shouldLoadClientCertSource()

Determines whether or not the default device certificate should be loaded.

string
getUniverseDomain()

Get the universe domain from the credential. Defaults to "googleapis.com" for all credential types which do not support universe domain.

string
signBlob(string $stringToSign, bool $forceOpenSsl = false, string $accessToken = null)

Sign a string using the default service account private key.

__construct(string|string[] $scope, string|array $jsonKey)

Instantiate an instance of ImpersonatedServiceAccountCredentials from a credentials file that has be created with the --impersonated-service-account flag.

string
getClientName(callable|null $unusedHttpHandler = null)

Get the client name from the keyfile

array
fetchAuthToken(callable|null $httpHandler = null)

No description

string
getCacheKey()

Returns the Cache Key for the credentials The cache key is the same as the UserRefreshCredentials class

null|array
getLastReceivedToken()

No description

Details

static protected string getMetricsHeader(string $credType = '', string $authRequestType = '')

No description

Parameters

string $credType

[Optional] The credential type. Empty value will not add any credential type to the header. Should be one of 'sa', 'jwt', 'imp', 'mds', 'u'.

string $authRequestType

[Optional] The auth request type. Empty value will not add any auth request type to the header. Should be one of 'at', 'it', 'mds'.

Return Value

string

The header value for the observability metrics.

protected array applyServiceApiUsageMetrics(array $metadata)

No description

Parameters

array $metadata

The metadata to update and return.

Return Value

array

The updated metadata.

protected array applyTokenEndpointMetrics(array $metadata, string $authRequestType)

No description

Parameters

array $metadata

The metadata to update and return.

string $authRequestType

The auth request type. Possible values are 'at', 'it', 'mds'.

Return Value

array

The updated metadata.

static protected string getVersion()

No description

Return Value

string

protected string getCredType()

No description

Return Value

string

callable getUpdateMetadataFunc() deprecated

deprecated

export a callback function which updates runtime metadata.

Return Value

callable

updateMetadata function

array updateMetadata(array $metadata, string $authUri = null, callable|null $httpHandler = null)

Updates metadata with the authorization token.

Parameters

array $metadata

metadata hashmap

string $authUri

optional auth uri

callable|null $httpHandler

callback which delivers psr7 request

Return Value

array

updated metadata hashmap

static array|null fromEnv()

Load a JSON key from the path specified in the environment.

Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.

Return Value

array|null

JSON key | null

static array|null fromWellKnownFile()

Load a JSON key from a well known path.

The well known path is OS dependent:

  • windows: %APPDATA%/gcloud/application_default_credentials.json
  • others: $HOME/.config/gcloud/application_default_credentials.json

If the file does not exist, this returns null.

Return Value

array|null

JSON key | null

static ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials|ExternalAccountCredentials makeCredentials(string|string[] $scope, array $jsonKey, string|string[] $defaultScope = null)

Create a new Credentials instance.

Parameters

string|string[] $scope

the scope of the access request, expressed either as an Array or as a space-delimited String.

array $jsonKey

the JSON credentials.

string|string[] $defaultScope

The default scope to use if no user-defined scopes exist, expressed either as an Array or as a space-delimited string.

Return Value

ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials|ExternalAccountCredentials

static Client makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable|null $httpHandler = null, callable|null $tokenCallback = null)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

Parameters

FetchAuthTokenInterface $fetcher

is used to fetch the auth token

array $httpClientOptions

(optional) Array of request options to apply.

callable|null $httpHandler

(optional) http client to fetch the token.

callable|null $tokenCallback

(optional) function to be called when a new token is fetched.

Return Value

Client

static InsecureCredentials makeInsecureCredentials()

Create a new instance of InsecureCredentials.

Return Value

InsecureCredentials

static string|null quotaProjectFromEnv()

Fetch a quota project from the environment variable GOOGLE_CLOUD_QUOTA_PROJECT. Return null if GOOGLE_CLOUD_QUOTA_PROJECT is not specified.

Return Value

string|null

static callable|null getDefaultClientCertSource()

Gets a callable which returns the default device certification.

Return Value

callable|null

Exceptions

UnexpectedValueException

static bool shouldLoadClientCertSource()

Determines whether or not the default device certificate should be loaded.

Return Value

bool

string getUniverseDomain()

Get the universe domain from the credential. Defaults to "googleapis.com" for all credential types which do not support universe domain.

Return Value

string

string signBlob(string $stringToSign, bool $forceOpenSsl = false, string $accessToken = null)

Sign a string using the default service account private key.

This implementation uses IAM's signBlob API.

Parameters

string $stringToSign

The string to sign.

bool $forceOpenSsl

[optional] Does not apply to this credentials type.

string $accessToken

The access token to use to sign the blob. If provided, saves a call to the metadata server for a new access token. Defaults to null.

Return Value

string

Exceptions

Exception

See also

https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/signBlob SignBlob

__construct(string|string[] $scope, string|array $jsonKey)

Instantiate an instance of ImpersonatedServiceAccountCredentials from a credentials file that has be created with the --impersonated-service-account flag.

Parameters

string|string[] $scope

The scope of the access request, expressed either as an array or as a space-delimited string.

string|array $jsonKey

JSON credential file path or JSON credentials as an associative array.

string getClientName(callable|null $unusedHttpHandler = null)

Get the client name from the keyfile

In this implementation, it will return the issuers email from the oauth token.

Parameters

callable|null $unusedHttpHandler

not used by this credentials type.

Return Value

string

array fetchAuthToken(callable|null $httpHandler = null)

No description

Parameters

callable|null $httpHandler

callback which delivers psr7 request

Return Value

array

a hash of auth tokens

string getCacheKey()

Returns the Cache Key for the credentials The cache key is the same as the UserRefreshCredentials class

Return Value

string

a key that may be used to cache the auth token.

null|array getLastReceivedToken()

No description

Return Value

null|array

{ The last received access token.

@type string $access_token The access token string.
@type int $expires_at The time the token expires as a UNIX timestamp.

}