ServiceAccountCredentials
class ServiceAccountCredentials extends CredentialsLoader implements GetQuotaProjectInterface, SignBlobInterface, ProjectIdProviderInterface (View source)
ServiceAccountCredentials supports authorization using a Google service account.
(cf https://developers.google.com/accounts/docs/OAuth2ServiceAccount)
It's initialized using the json key file that's downloadable from developer console, which should contain a private_key and client_email fields that it uses.
Use it with AuthTokenMiddleware to authorize http requests:
use Google\Auth\Credentials\ServiceAccountCredentials; use Google\Auth\Middleware\AuthTokenMiddleware; use GuzzleHttp\Client; use GuzzleHttp\HandlerStack;
$sa = new ServiceAccountCredentials( 'https://www.googleapis.com/auth/taskqueue', '/path/to/your/json/key_file.json' ); $middleware = new AuthTokenMiddleware($sa); $stack = HandlerStack::create(); $stack->push($middleware);
$client = new Client([ 'handler' => $stack, 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', 'auth' => 'google_auth' // authorize all requests ]);
$res = $client->get('myproject/taskqueues/myqueue');
Traits
Sign a string using a Service Account private key.
Provides shared methods for updating request metadata (request headers).
Trait containing helper methods required for enabling observability metrics in the library.
Constants
| TOKEN_CREDENTIAL_URI |
|
| ENV_VAR |
|
| QUOTA_PROJECT_ENV_VAR |
|
| WELL_KNOWN_PATH |
|
| NON_WINDOWS_WELL_KNOWN_PATH_BASE |
|
| MTLS_WELL_KNOWN_PATH |
|
| MTLS_CERT_ENV_VAR |
|
| private CRED_TYPE |
Used in observability metric headers |
| private IAM_SCOPE |
|
Properties
| static protected string | $metricMetadataKey | from MetricsTrait | |
| protected OAuth2 | $auth | The OAuth2 instance used to conduct authorization. |
|
| protected string | $quotaProject | The quota project associated with the JSON credentials |
|
| protected string|null | $projectId |
Methods
No description
No description
No description
Updates metadata with the authorization token.
Load a JSON key from the path specified in the environment.
Load a JSON key from a well known path.
Create a new Credentials instance.
Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.
Create a new instance of InsecureCredentials.
Fetch a quota project from the environment variable GOOGLE_CLOUD_QUOTA_PROJECT. Return null if GOOGLE_CLOUD_QUOTA_PROJECT is not specified.
Gets a callable which returns the default device certification.
Determines whether or not the default device certificate should be loaded.
Get the universe domain configured in the JSON credential.
Sign a string using the service account private key.
Create a new ServiceAccountCredentials.
When called, the ServiceAccountCredentials will use an instance of ServiceAccountJwtAccessCredentials to fetch (self-sign) an access token even when only scopes are supplied. Otherwise, ServiceAccountJwtAccessCredentials is only called when no scopes and an authUrl (audience) is suppled.
No description
Return the Cache Key for the credentials.
No description
Get the project ID from the service account keyfile.
No description
Get the client name from the keyfile.
Get the private key from the keyfile.
Get the quota project used for this API request
Details
static protected string
getMetricsHeader(string $credType = '', string $authRequestType = '')
No description
protected array
applyServiceApiUsageMetrics(array $metadata)
No description
protected array
applyTokenEndpointMetrics(array $metadata, string $authRequestType)
No description
static protected string
getVersion()
No description
protected string
getCredType()
No description
callable
getUpdateMetadataFunc()
deprecated
deprecated
export a callback function which updates runtime metadata.
array
updateMetadata(array $metadata, string $authUri = null, callable|null $httpHandler = null)
Updates metadata with the authorization token.
static array|null
fromEnv()
Load a JSON key from the path specified in the environment.
Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.
static array|null
fromWellKnownFile()
Load a JSON key from a well known path.
The well known path is OS dependent:
- windows: %APPDATA%/gcloud/application_default_credentials.json
- others: $HOME/.config/gcloud/application_default_credentials.json
If the file does not exist, this returns null.
static ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials|ExternalAccountCredentials
makeCredentials(string|string[] $scope, array $jsonKey, string|string[] $defaultScope = null)
Create a new Credentials instance.
static Client
makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable|null $httpHandler = null, callable|null $tokenCallback = null)
Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.
static InsecureCredentials
makeInsecureCredentials()
Create a new instance of InsecureCredentials.
static string|null
quotaProjectFromEnv()
Fetch a quota project from the environment variable GOOGLE_CLOUD_QUOTA_PROJECT. Return null if GOOGLE_CLOUD_QUOTA_PROJECT is not specified.
static callable|null
getDefaultClientCertSource()
Gets a callable which returns the default device certification.
static bool
shouldLoadClientCertSource()
Determines whether or not the default device certificate should be loaded.
string
getUniverseDomain()
Get the universe domain configured in the JSON credential.
string
signBlob(string $stringToSign, bool $forceOpenssl = false)
Sign a string using the service account private key.
__construct(string|string[]|null $scope, string|array $jsonKey, string $sub = null, string $targetAudience = null)
Create a new ServiceAccountCredentials.
void
useJwtAccessWithScope()
When called, the ServiceAccountCredentials will use an instance of ServiceAccountJwtAccessCredentials to fetch (self-sign) an access token even when only scopes are supplied. Otherwise, ServiceAccountJwtAccessCredentials is only called when no scopes and an authUrl (audience) is suppled.
array
fetchAuthToken(callable|null $httpHandler = null)
No description
string
getCacheKey()
Return the Cache Key for the credentials.
For the cache key format is one of the following: ClientEmail.Scope[.Sub] ClientEmail.Audience[.Sub]
null|array
getLastReceivedToken()
No description
string|null
getProjectId(callable|null $httpHandler = null)
Get the project ID from the service account keyfile.
Returns null if the project ID does not exist in the keyfile.
void
setSub(string $sub)
No description
string
getClientName(callable|null $httpHandler = null)
Get the client name from the keyfile.
In this case, it returns the keyfile's client_email key.
string
getPrivateKey()
Get the private key from the keyfile.
In this case, it returns the keyfile's private_key key, needed for JWT signing.
string|null
getQuotaProject()
Get the quota project used for this API request