class ServiceAccountJwtAccessCredentials extends CredentialsLoader implements GetQuotaProjectInterface, SignBlobInterface, ProjectIdProviderInterface (View source)

Authenticates requests using Google's Service Account credentials via JWT Access.

This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via 'Generate new Json Key'). It is not part of any OAuth2 flow, rather it creates a JWT and sends that as a credential.

Traits

Sign a string using a Service Account private key.

Provides shared methods for updating request metadata (request headers).

Trait containing helper methods required for enabling observability metrics in the library.

Constants

TOKEN_CREDENTIAL_URI

ENV_VAR

QUOTA_PROJECT_ENV_VAR

WELL_KNOWN_PATH

NON_WINDOWS_WELL_KNOWN_PATH_BASE

MTLS_WELL_KNOWN_PATH

MTLS_CERT_ENV_VAR

private CRED_TYPE

Used in observability metric headers

Properties

static protected string $metricMetadataKey from  MetricsTrait
protected OAuth2 $auth

The OAuth2 instance used to conduct authorization.

protected string $quotaProject

The quota project associated with the JSON credentials

string $projectId

Methods

static string
getMetricsHeader(string $credType = '', string $authRequestType = '')

No description

array
applyServiceApiUsageMetrics(array $metadata)

No description

array
applyTokenEndpointMetrics(array $metadata, string $authRequestType)

No description

static string
getVersion()

No description

string
getCredType()

No description

callable
getUpdateMetadataFunc() deprecated

export a callback function which updates runtime metadata.

array
updateMetadata(array $metadata, string $authUri = null, callable|null $httpHandler = null)

Updates metadata with the authorization token.

static array|null
fromEnv()

Load a JSON key from the path specified in the environment.

static array|null
fromWellKnownFile()

Load a JSON key from a well known path.

makeCredentials(string|string[] $scope, array $jsonKey, string|string[] $defaultScope = null)

Create a new Credentials instance.

static Client
makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable|null $httpHandler = null, callable|null $tokenCallback = null)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

makeInsecureCredentials()

Create a new instance of InsecureCredentials.

static string|null
quotaProjectFromEnv()

Fetch a quota project from the environment variable GOOGLE_CLOUD_QUOTA_PROJECT. Return null if GOOGLE_CLOUD_QUOTA_PROJECT is not specified.

static callable|null
getDefaultClientCertSource()

Gets a callable which returns the default device certification.

static bool
shouldLoadClientCertSource()

Determines whether or not the default device certificate should be loaded.

string
getUniverseDomain()

Get the universe domain from the credential. Defaults to "googleapis.com" for all credential types which do not support universe domain.

string
signBlob(string $stringToSign, bool $forceOpenssl = false)

Sign a string using the service account private key.

__construct(string|array $jsonKey, string|string[] $scope = null)

Create a new ServiceAccountJwtAccessCredentials.

array
fetchAuthToken(callable|null $httpHandler = null)

Implements FetchAuthTokenInterface#fetchAuthToken.

string
getCacheKey()

Return the cache key for the credentials.

null|array
getLastReceivedToken()

No description

string|null
getProjectId(callable|null $httpHandler = null)

Get the project ID from the service account keyfile.

string
getClientName(callable|null $httpHandler = null)

Get the client name from the keyfile.

string
getPrivateKey()

Get the private key from the keyfile.

string|null
getQuotaProject()

Get the quota project used for this API request

Details

static protected string getMetricsHeader(string $credType = '', string $authRequestType = '')

No description

Parameters

string $credType

[Optional] The credential type. Empty value will not add any credential type to the header. Should be one of 'sa', 'jwt', 'imp', 'mds', 'u'.

string $authRequestType

[Optional] The auth request type. Empty value will not add any auth request type to the header. Should be one of 'at', 'it', 'mds'.

Return Value

string

The header value for the observability metrics.

protected array applyServiceApiUsageMetrics(array $metadata)

No description

Parameters

array $metadata

The metadata to update and return.

Return Value

array

The updated metadata.

protected array applyTokenEndpointMetrics(array $metadata, string $authRequestType)

No description

Parameters

array $metadata

The metadata to update and return.

string $authRequestType

The auth request type. Possible values are 'at', 'it', 'mds'.

Return Value

array

The updated metadata.

static protected string getVersion()

No description

Return Value

string

protected string getCredType()

No description

Return Value

string

callable getUpdateMetadataFunc() deprecated

deprecated

export a callback function which updates runtime metadata.

Return Value

callable

updateMetadata function

array updateMetadata(array $metadata, string $authUri = null, callable|null $httpHandler = null)

Updates metadata with the authorization token.

Parameters

array $metadata

metadata hashmap

string $authUri

optional auth uri

callable|null $httpHandler

callback which delivers psr7 request

Return Value

array

updated metadata hashmap

static array|null fromEnv()

Load a JSON key from the path specified in the environment.

Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.

Return Value

array|null

JSON key | null

static array|null fromWellKnownFile()

Load a JSON key from a well known path.

The well known path is OS dependent:

  • windows: %APPDATA%/gcloud/application_default_credentials.json
  • others: $HOME/.config/gcloud/application_default_credentials.json

If the file does not exist, this returns null.

Return Value

array|null

JSON key | null

static ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials|ExternalAccountCredentials makeCredentials(string|string[] $scope, array $jsonKey, string|string[] $defaultScope = null)

Create a new Credentials instance.

Parameters

string|string[] $scope

the scope of the access request, expressed either as an Array or as a space-delimited String.

array $jsonKey

the JSON credentials.

string|string[] $defaultScope

The default scope to use if no user-defined scopes exist, expressed either as an Array or as a space-delimited string.

Return Value

ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials|ExternalAccountCredentials

static Client makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable|null $httpHandler = null, callable|null $tokenCallback = null)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

Parameters

FetchAuthTokenInterface $fetcher

is used to fetch the auth token

array $httpClientOptions

(optional) Array of request options to apply.

callable|null $httpHandler

(optional) http client to fetch the token.

callable|null $tokenCallback

(optional) function to be called when a new token is fetched.

Return Value

Client

static InsecureCredentials makeInsecureCredentials()

Create a new instance of InsecureCredentials.

Return Value

InsecureCredentials

static string|null quotaProjectFromEnv()

Fetch a quota project from the environment variable GOOGLE_CLOUD_QUOTA_PROJECT. Return null if GOOGLE_CLOUD_QUOTA_PROJECT is not specified.

Return Value

string|null

static callable|null getDefaultClientCertSource()

Gets a callable which returns the default device certification.

Return Value

callable|null

Exceptions

UnexpectedValueException

static bool shouldLoadClientCertSource()

Determines whether or not the default device certificate should be loaded.

Return Value

bool

string getUniverseDomain()

Get the universe domain from the credential. Defaults to "googleapis.com" for all credential types which do not support universe domain.

Return Value

string

string signBlob(string $stringToSign, bool $forceOpenssl = false)

Sign a string using the service account private key.

Parameters

string $stringToSign
bool $forceOpenssl

Whether to use OpenSSL regardless of whether phpseclib is installed. Defaults to false.

Return Value

string

__construct(string|array $jsonKey, string|string[] $scope = null)

Create a new ServiceAccountJwtAccessCredentials.

Parameters

string|array $jsonKey

JSON credential file path or JSON credentials as an associative array

string|string[] $scope

the scope of the access request, expressed either as an Array or as a space-delimited String.

array fetchAuthToken(callable|null $httpHandler = null)

Implements FetchAuthTokenInterface#fetchAuthToken.

Parameters

callable|null $httpHandler

callback which delivers psr7 request

Return Value

array

a hash of auth tokens

string getCacheKey()

Return the cache key for the credentials.

The format for the Cache Key one of the following: ClientEmail.Scope ClientEmail.Audience

Return Value

string

a key that may be used to cache the auth token.

null|array getLastReceivedToken()

No description

Return Value

null|array

{ The last received access token.

@type string $access_token The access token string.
@type int $expires_at The time the token expires as a UNIX timestamp.

}

string|null getProjectId(callable|null $httpHandler = null)

Get the project ID from the service account keyfile.

Returns null if the project ID does not exist in the keyfile.

Parameters

callable|null $httpHandler

Callback which delivers psr7 request

Return Value

string|null

string getClientName(callable|null $httpHandler = null)

Get the client name from the keyfile.

In this case, it returns the keyfile's client_email key.

Parameters

callable|null $httpHandler

callback which delivers psr7 request, if one is required to obtain a client name.

Return Value

string

string getPrivateKey()

Get the private key from the keyfile.

In this case, it returns the keyfile's private_key key, needed for JWT signing.

Return Value

string

string|null getQuotaProject()

Get the quota project used for this API request

Return Value

string|null