Class: Google::Auth::ExternalAccount::Credentials

Inherits:
Object
  • Object
show all
Defined in:
lib/googleauth/external_account.rb

Overview

Provides an entrypoint for all Exernal Account credential classes.

Constant Summary collapse

AWS_SUBJECT_TOKEN_TYPE =

The subject token type used for AWS external_account credentials.

"urn:ietf:params:aws:token-type:aws4_request".freeze
MISSING_CREDENTIAL_SOURCE = 
"missing credential source for external account".freeze
INVALID_EXTERNAL_ACCOUNT_TYPE = 
"credential source is not supported external account type".freeze

Class Method Summary collapse

Class Method Details

.make_creds(options = {}) ⇒ Object

Create a ExternalAccount::Credentials

Parameters:

  • json_key_io (IO)

    an IO from which the JSON key can be read

  • scope (String, Array, nil)

    the scope(s) to access

Raises:



40
41
42
43
44
45
46
47
48
49
50
51
52
 
# File 'lib/googleauth/external_account.rb', line 40

def self.make_creds options = {}
  json_key_io, scope = options.values_at :json_key_io, :scope

  raise "A json file is required for external account credentials." unless json_key_io
  user_creds = read_json_key json_key_io

  # AWS credentials is determined by aws subject token type
  return make_aws_credentials user_creds, scope if user_creds[:subject_token_type] == AWS_SUBJECT_TOKEN_TYPE

  raise MISSING_CREDENTIAL_SOURCE if user_creds[:credential_source].nil?
  user_creds[:scope] = scope
   user_creds
end

.read_json_key(json_key_io) ⇒ Object

Reads the required fields from the JSON.



55
56
57
58
59
60
61
62
63
64
 
# File 'lib/googleauth/external_account.rb', line 55

def self.read_json_key json_key_io
  json_key = MultiJson.load json_key_io.read, symbolize_keys: true
  wanted = [
    :audience, :subject_token_type, :token_url, :credential_source
  ]
  wanted.each do |key|
    raise "the json is missing the #{key} field" unless json_key.key? key
  end
  json_key
end