ServiceAccountCredentials
extends CredentialsLoader
in package
implements
GetQuotaProjectInterface, SignBlobInterface, ProjectIdProviderInterface
uses
ServiceAccountSignerTrait
ServiceAccountCredentials supports authorization using a Google service account.
(cf https://developers.google.com/accounts/docs/OAuth2ServiceAccount)
It's initialized using the json key file that's downloadable from developer console, which should contain a private_key and client_email fields that it uses.
Use it with AuthTokenMiddleware to authorize http requests:
use Google\Auth\Credentials\ServiceAccountCredentials; use Google\Auth\Middleware\AuthTokenMiddleware; use GuzzleHttp\Client; use GuzzleHttp\HandlerStack;
$sa = new ServiceAccountCredentials( 'https://www.googleapis.com/auth/taskqueue', '/path/to/your/json/key_file.json' ); $middleware = new AuthTokenMiddleware($sa); $stack = HandlerStack::create(); $stack->push($middleware);
$client = new Client([ 'handler' => $stack, 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', 'auth' => 'google_auth' // authorize all requests ]);
$res = $client->get('myproject/taskqueues/myqueue');
Table of Contents
Interfaces
- GetQuotaProjectInterface
- An interface implemented by objects that can get quota projects.
- SignBlobInterface
- Describes a class which supports signing arbitrary strings.
- ProjectIdProviderInterface
- Describes a Credentials object which supports fetching the project ID.
Constants
- ENV_VAR = 'GOOGLE_APPLICATION_CREDENTIALS'
- NON_WINDOWS_WELL_KNOWN_PATH_BASE = '.config'
- TOKEN_CREDENTIAL_URI = 'https://oauth2.googleapis.com/token'
- WELL_KNOWN_PATH = 'gcloud/application_default_credentials.json'
Properties
- $auth : OAuth2
- The OAuth2 instance used to conduct authorization.
- $projectId : mixed
- $quotaProject : string
- The quota project associated with the JSON credentials
- $jwtAccessCredentials : mixed
- $lastReceivedJwtAccessToken : mixed
- $useJwtAccessWithScope : mixed
Methods
- __construct() : mixed
- Create a new ServiceAccountCredentials.
- fetchAuthToken() : array<string|int, mixed>
- Fetches the auth tokens based on the current state.
- fromEnv() : array<string|int, mixed>|null
- Load a JSON key from the path specified in the environment.
- fromWellKnownFile() : array<string|int, mixed>|null
- Load a JSON key from a well known path.
- getCacheKey() : string
- Obtains a key that can used to cache the results of #fetchAuthToken.
- getClientName() : string
- Get the client name from the keyfile.
- getLastReceivedToken() : array<string|int, mixed>
- Returns an associative array with the token and expiration time.
- getProjectId() : string|null
- Get the project ID from the service account keyfile.
- getQuotaProject() : string|null
- Get the quota project used for this API request
- getUpdateMetadataFunc() : array<string|int, mixed>
- export a callback function which updates runtime metadata.
- makeCredentials() : ServiceAccountCredentials|UserRefreshCredentials
- Create a new Credentials instance.
- makeHttpClient() : Client
- Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.
- makeInsecureCredentials() : InsecureCredentials
- Create a new instance of InsecureCredentials.
- setSub() : mixed
- signBlob() : string
- Sign a string using the service account private key.
- updateMetadata() : array<string|int, mixed>
- Updates metadata with the authorization token.
- useJwtAccessWithScope() : mixed
- When called, the ServiceAccountCredentials will use an instance of ServiceAccountJwtAccessCredentials to fetch (self-sign) an access token even when only scopes are supplied. Otherwise, ServiceAccountJwtAccessCredentials is only called when no scopes and an authUrl (audience) is suppled.
- createJwtAccessCredentials() : mixed
- getGuzzleMajorVersion() : int
- Returns the currently available major Guzzle version.
- isOnWindows() : bool
- unableToReadEnv() : string
- useSelfSignedJwt() : mixed
Constants
ENV_VAR
public
mixed
ENV_VAR
= 'GOOGLE_APPLICATION_CREDENTIALS'
NON_WINDOWS_WELL_KNOWN_PATH_BASE
public
mixed
NON_WINDOWS_WELL_KNOWN_PATH_BASE
= '.config'
TOKEN_CREDENTIAL_URI
public
mixed
TOKEN_CREDENTIAL_URI
= 'https://oauth2.googleapis.com/token'
WELL_KNOWN_PATH
public
mixed
WELL_KNOWN_PATH
= 'gcloud/application_default_credentials.json'
Properties
$auth
The OAuth2 instance used to conduct authorization.
protected
OAuth2
$auth
$projectId
protected
mixed
$projectId
$quotaProject
The quota project associated with the JSON credentials
protected
string
$quotaProject
$jwtAccessCredentials
private
mixed
$jwtAccessCredentials
$lastReceivedJwtAccessToken
private
mixed
$lastReceivedJwtAccessToken
$useJwtAccessWithScope
private
mixed
$useJwtAccessWithScope
= false
Methods
__construct()
Create a new ServiceAccountCredentials.
public
__construct(string|array<string|int, mixed> $scope, string|array<string|int, mixed> $jsonKey[, string $sub = null ][, string $targetAudience = null ]) : mixed
Parameters
- $scope : string|array<string|int, mixed>
-
the scope of the access request, expressed either as an Array or as a space-delimited String.
- $jsonKey : string|array<string|int, mixed>
-
JSON credential file path or JSON credentials as an associative array
- $sub : string = null
-
an email address account to impersonate, in situations when the service account has been delegated domain wide access.
- $targetAudience : string = null
-
The audience for the ID token.
fetchAuthToken()
Fetches the auth tokens based on the current state.
public
fetchAuthToken([callable $httpHandler = null ]) : array<string|int, mixed>
Parameters
- $httpHandler : callable = null
Return values
array<string|int, mixed> —A set of auth related metadata, containing the following keys:
- access_token (string)
- expires_in (int)
- token_type (string)
fromEnv()
Load a JSON key from the path specified in the environment.
public
static fromEnv() : array<string|int, mixed>|null
Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.
Return values
array<string|int, mixed>|null —JSON key | null
fromWellKnownFile()
Load a JSON key from a well known path.
public
static fromWellKnownFile() : array<string|int, mixed>|null
The well known path is OS dependent:
- windows: %APPDATA%/gcloud/application_default_credentials.json
- others: $HOME/.config/gcloud/application_default_credentials.json
If the file does not exist, this returns null.
Return values
array<string|int, mixed>|null —JSON key | null
getCacheKey()
Obtains a key that can used to cache the results of #fetchAuthToken.
public
getCacheKey() : string
Return values
stringgetClientName()
Get the client name from the keyfile.
public
getClientName([callable $httpHandler = null ]) : string
In this case, it returns the keyfile's client_email key.
Parameters
- $httpHandler : callable = null
-
Not used by this credentials type.
Return values
stringgetLastReceivedToken()
Returns an associative array with the token and expiration time.
public
getLastReceivedToken() : array<string|int, mixed>
Return values
array<string|int, mixed>getProjectId()
Get the project ID from the service account keyfile.
public
getProjectId([callable $httpHandler = null ]) : string|null
Returns null if the project ID does not exist in the keyfile.
Parameters
- $httpHandler : callable = null
-
Not used by this credentials type.
Return values
string|nullgetQuotaProject()
Get the quota project used for this API request
public
getQuotaProject() : string|null
Return values
string|nullgetUpdateMetadataFunc()
export a callback function which updates runtime metadata.
public
getUpdateMetadataFunc() : array<string|int, mixed>
Return values
array<string|int, mixed> —updateMetadata function
makeCredentials()
Create a new Credentials instance.
public
static makeCredentials(string|array<string|int, mixed> $scope, array<string|int, mixed> $jsonKey[, string|array<string|int, mixed> $defaultScope = null ]) : ServiceAccountCredentials|UserRefreshCredentials
Parameters
- $scope : string|array<string|int, mixed>
-
the scope of the access request, expressed either as an Array or as a space-delimited String.
- $jsonKey : array<string|int, mixed>
-
the JSON credentials.
- $defaultScope : string|array<string|int, mixed> = null
-
The default scope to use if no user-defined scopes exist, expressed either as an Array or as a space-delimited string.
Return values
ServiceAccountCredentials|UserRefreshCredentialsmakeHttpClient()
Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.
public
static makeHttpClient(FetchAuthTokenInterface $fetcher[, array<string|int, mixed> $httpClientOptions = [] ][, callable $httpHandler = null ][, callable $tokenCallback = null ]) : Client
Parameters
- $fetcher : FetchAuthTokenInterface
-
is used to fetch the auth token
- $httpClientOptions : array<string|int, mixed> = []
-
(optional) Array of request options to apply.
- $httpHandler : callable = null
-
(optional) http client to fetch the token.
- $tokenCallback : callable = null
-
(optional) function to be called when a new token is fetched.
Return values
ClientmakeInsecureCredentials()
Create a new instance of InsecureCredentials.
public
static makeInsecureCredentials() : InsecureCredentials
Return values
InsecureCredentialssetSub()
public
setSub(string $sub) : mixed
Parameters
- $sub : string
-
an email address account to impersonate, in situations when the service account has been delegated domain wide access.
signBlob()
Sign a string using the service account private key.
public
signBlob(string $stringToSign[, bool $forceOpenssl = false ]) : string
Parameters
- $stringToSign : string
- $forceOpenssl : bool = false
-
Whether to use OpenSSL regardless of whether phpseclib is installed. Defaults to
false.
Return values
stringupdateMetadata()
Updates metadata with the authorization token.
public
updateMetadata(array<string|int, mixed> $metadata[, string $authUri = null ][, callable $httpHandler = null ]) : array<string|int, mixed>
Parameters
- $metadata : array<string|int, mixed>
-
metadata hashmap
- $authUri : string = null
-
optional auth uri
- $httpHandler : callable = null
-
callback which delivers psr7 request
Return values
array<string|int, mixed> —updated metadata hashmap
useJwtAccessWithScope()
When called, the ServiceAccountCredentials will use an instance of ServiceAccountJwtAccessCredentials to fetch (self-sign) an access token even when only scopes are supplied. Otherwise, ServiceAccountJwtAccessCredentials is only called when no scopes and an authUrl (audience) is suppled.
public
useJwtAccessWithScope() : mixed
createJwtAccessCredentials()
private
createJwtAccessCredentials() : mixed
getGuzzleMajorVersion()
Returns the currently available major Guzzle version.
private
static getGuzzleMajorVersion() : int
Return values
intisOnWindows()
private
static isOnWindows() : bool
Return values
boolunableToReadEnv()
private
static unableToReadEnv(string $cause) : string
Parameters
- $cause : string
Return values
stringuseSelfSignedJwt()
private
useSelfSignedJwt() : mixed