class ServiceAccountCredentials extends CredentialsLoader implements GetQuotaProjectInterface, SignBlobInterface, ProjectIdProviderInterface (View source)

ServiceAccountCredentials supports authorization using a Google service account.

(cf https://developers.google.com/accounts/docs/OAuth2ServiceAccount)

It's initialized using the json key file that's downloadable from developer console, which should contain a private_key and client_email fields that it uses.

Use it with AuthTokenMiddleware to authorize http requests:

use Google\Auth\Credentials\ServiceAccountCredentials; use Google\Auth\Middleware\AuthTokenMiddleware; use GuzzleHttp\Client; use GuzzleHttp\HandlerStack;

$sa = new ServiceAccountCredentials( 'https://www.googleapis.com/auth/taskqueue', '/path/to/your/json/key_file.json' ); $middleware = new AuthTokenMiddleware($sa); $stack = HandlerStack::create(); $stack->push($middleware);

$client = new Client([ 'handler' => $stack, 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', 'auth' => 'google_auth' // authorize all requests ]);

$res = $client->get('myproject/taskqueues/myqueue');

Traits

Sign a string using a Service Account private key.

Provides shared methods for updating request metadata (request headers).

Trait containing helper methods required for enabling observability metrics in the library.

Constants

TOKEN_CREDENTIAL_URI

ENV_VAR

QUOTA_PROJECT_ENV_VAR

WELL_KNOWN_PATH

NON_WINDOWS_WELL_KNOWN_PATH_BASE

MTLS_WELL_KNOWN_PATH

MTLS_CERT_ENV_VAR

private CRED_TYPE

Used in observability metric headers

private IAM_SCOPE

Properties

static protected string $metricMetadataKey from  MetricsTrait
protected OAuth2 $auth

The OAuth2 instance used to conduct authorization.

protected string $quotaProject

The quota project associated with the JSON credentials

protected string|null $projectId

Methods

static string
getMetricsHeader(string $credType = '', string $authRequestType = '')

No description

array
applyServiceApiUsageMetrics(array $metadata)

No description

array
applyTokenEndpointMetrics(array $metadata, string $authRequestType)

No description

static string
getVersion()

No description

string
getCredType()

No description

callable
getUpdateMetadataFunc() deprecated

export a callback function which updates runtime metadata.

array
updateMetadata(array $metadata, string $authUri = null, callable|null $httpHandler = null)

Updates metadata with the authorization token.

static array|null
fromEnv()

Load a JSON key from the path specified in the environment.

static array|null
fromWellKnownFile()

Load a JSON key from a well known path.

makeCredentials(string|string[] $scope, array $jsonKey, string|string[] $defaultScope = null)

Create a new Credentials instance.

static Client
makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable|null $httpHandler = null, callable|null $tokenCallback = null)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

makeInsecureCredentials()

Create a new instance of InsecureCredentials.

static string|null
quotaProjectFromEnv()

Fetch a quota project from the environment variable GOOGLE_CLOUD_QUOTA_PROJECT. Return null if GOOGLE_CLOUD_QUOTA_PROJECT is not specified.

static callable|null
getDefaultClientCertSource()

Gets a callable which returns the default device certification.

static bool
shouldLoadClientCertSource()

Determines whether or not the default device certificate should be loaded.

string
getUniverseDomain()

Get the universe domain configured in the JSON credential.

string
signBlob(string $stringToSign, bool $forceOpenssl = false)

Sign a string using the service account private key.

__construct(string|string[]|null $scope, string|array $jsonKey, string $sub = null, string $targetAudience = null)

Create a new ServiceAccountCredentials.

void
useJwtAccessWithScope()

When called, the ServiceAccountCredentials will use an instance of ServiceAccountJwtAccessCredentials to fetch (self-sign) an access token even when only scopes are supplied. Otherwise, ServiceAccountJwtAccessCredentials is only called when no scopes and an authUrl (audience) is suppled.

array
fetchAuthToken(callable|null $httpHandler = null, array $headers = [])

No description

string
getCacheKey()

Return the Cache Key for the credentials.

null|array
getLastReceivedToken()

No description

string|null
getProjectId(callable|null $httpHandler = null)

Get the project ID from the service account keyfile.

void
setSub(string $sub)

No description

string
getClientName(callable|null $httpHandler = null)

Get the client name from the keyfile.

string
getPrivateKey()

Get the private key from the keyfile.

string|null
getQuotaProject()

Get the quota project used for this API request

Details

static protected string getMetricsHeader(string $credType = '', string $authRequestType = '')

No description

Parameters

string $credType

[Optional] The credential type. Empty value will not add any credential type to the header. Should be one of 'sa', 'jwt', 'imp', 'mds', 'u'.

string $authRequestType

[Optional] The auth request type. Empty value will not add any auth request type to the header. Should be one of 'at', 'it', 'mds'.

Return Value

string

The header value for the observability metrics.

protected array applyServiceApiUsageMetrics(array $metadata)

No description

Parameters

array $metadata

The metadata to update and return.

Return Value

array

The updated metadata.

protected array applyTokenEndpointMetrics(array $metadata, string $authRequestType)

No description

Parameters

array $metadata

The metadata to update and return.

string $authRequestType

The auth request type. Possible values are 'at', 'it', 'mds'.

Return Value

array

The updated metadata.

static protected string getVersion()

No description

Return Value

string

protected string getCredType()

No description

Return Value

string

callable getUpdateMetadataFunc() deprecated

deprecated

export a callback function which updates runtime metadata.

Return Value

callable

updateMetadata function

array updateMetadata(array $metadata, string $authUri = null, callable|null $httpHandler = null)

Updates metadata with the authorization token.

Parameters

array $metadata

metadata hashmap

string $authUri

optional auth uri

callable|null $httpHandler

callback which delivers psr7 request

Return Value

array

updated metadata hashmap

static array|null fromEnv()

Load a JSON key from the path specified in the environment.

Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.

Return Value

array|null

JSON key | null

static array|null fromWellKnownFile()

Load a JSON key from a well known path.

The well known path is OS dependent:

  • windows: %APPDATA%/gcloud/application_default_credentials.json
  • others: $HOME/.config/gcloud/application_default_credentials.json

If the file does not exist, this returns null.

Return Value

array|null

JSON key | null

static ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials|ExternalAccountCredentials makeCredentials(string|string[] $scope, array $jsonKey, string|string[] $defaultScope = null)

Create a new Credentials instance.

Parameters

string|string[] $scope

the scope of the access request, expressed either as an Array or as a space-delimited String.

array $jsonKey

the JSON credentials.

string|string[] $defaultScope

The default scope to use if no user-defined scopes exist, expressed either as an Array or as a space-delimited string.

Return Value

ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials|ExternalAccountCredentials

static Client makeHttpClient(FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable|null $httpHandler = null, callable|null $tokenCallback = null)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

Parameters

FetchAuthTokenInterface $fetcher

is used to fetch the auth token

array $httpClientOptions

(optional) Array of request options to apply.

callable|null $httpHandler

(optional) http client to fetch the token.

callable|null $tokenCallback

(optional) function to be called when a new token is fetched.

Return Value

Client

static InsecureCredentials makeInsecureCredentials()

Create a new instance of InsecureCredentials.

Return Value

InsecureCredentials

static string|null quotaProjectFromEnv()

Fetch a quota project from the environment variable GOOGLE_CLOUD_QUOTA_PROJECT. Return null if GOOGLE_CLOUD_QUOTA_PROJECT is not specified.

Return Value

string|null

static callable|null getDefaultClientCertSource()

Gets a callable which returns the default device certification.

Return Value

callable|null

Exceptions

UnexpectedValueException

static bool shouldLoadClientCertSource()

Determines whether or not the default device certificate should be loaded.

Return Value

bool

string getUniverseDomain()

Get the universe domain configured in the JSON credential.

Return Value

string

string signBlob(string $stringToSign, bool $forceOpenssl = false)

Sign a string using the service account private key.

Parameters

string $stringToSign
bool $forceOpenssl

Whether to use OpenSSL regardless of whether phpseclib is installed. Defaults to false.

Return Value

string

__construct(string|string[]|null $scope, string|array $jsonKey, string $sub = null, string $targetAudience = null)

Create a new ServiceAccountCredentials.

Parameters

string|string[]|null $scope

the scope of the access request, expressed either as an Array or as a space-delimited String.

string|array $jsonKey

JSON credential file path or JSON credentials as an associative array

string $sub

an email address account to impersonate, in situations when the service account has been delegated domain wide access.

string $targetAudience

The audience for the ID token.

void useJwtAccessWithScope()

When called, the ServiceAccountCredentials will use an instance of ServiceAccountJwtAccessCredentials to fetch (self-sign) an access token even when only scopes are supplied. Otherwise, ServiceAccountJwtAccessCredentials is only called when no scopes and an authUrl (audience) is suppled.

Return Value

void

array fetchAuthToken(callable|null $httpHandler = null, array $headers = [])

No description

Parameters

callable|null $httpHandler

callback which delivers psr7 request

array $headers

[optional] Headers to be inserted into the token endpoint request present.

Return Value

array

a hash of auth tokens

string getCacheKey()

Return the Cache Key for the credentials.

For the cache key format is one of the following: ClientEmail.Scope[.Sub] ClientEmail.Audience[.Sub]

Return Value

string

a key that may be used to cache the auth token.

null|array getLastReceivedToken()

No description

Return Value

null|array

{ The last received access token.

@type string $access_token The access token string.
@type int $expires_at The time the token expires as a UNIX timestamp.

}

string|null getProjectId(callable|null $httpHandler = null)

Get the project ID from the service account keyfile.

Returns null if the project ID does not exist in the keyfile.

Parameters

callable|null $httpHandler

Callback which delivers psr7 request

Return Value

string|null

void setSub(string $sub)

No description

Parameters

string $sub

an email address account to impersonate, in situations when the service account has been delegated domain wide access.

Return Value

void

string getClientName(callable|null $httpHandler = null)

Get the client name from the keyfile.

In this case, it returns the keyfile's client_email key.

Parameters

callable|null $httpHandler

callback which delivers psr7 request, if one is required to obtain a client name.

Return Value

string

string getPrivateKey()

Get the private key from the keyfile.

In this case, it returns the keyfile's private_key key, needed for JWT signing.

Return Value

string

string|null getQuotaProject()

Get the quota project used for this API request

Return Value

string|null