class Google::Auth::ExternalAccount::IdentityPoolCredentials
This module handles the retrieval of credentials from Google
Cloud by utilizing the any 3PI provider then exchanging the credentials for a short-lived Google
Cloud access token.
Attributes
Will always be nil, but method still gets used.
Public Class Methods
Source
# File lib/googleauth/external_account/identity_pool_credentials.rb, line 40 def initialize options = {} base_setup options @audience = options[:audience] @credential_source = options[:credential_source] || {} @credential_source_file = @credential_source[:file] @credential_source_url = @credential_source[:url] @credential_source_headers = @credential_source[:headers] || {} @credential_source_format = @credential_source[:format] || {} @credential_source_format_type = @credential_source_format[:type] || "text" validate_credential_source end
Initialize from options map.
@param [string] audience @param [hash{symbol => value}] credential_source
credential_source is a hash that contains either source file or url. credential_source_format is either text or json. To define how we parse the credential response.
Public Instance Methods
Source
# File lib/googleauth/external_account/identity_pool_credentials.rb, line 54 def retrieve_subject_token! content, resource_name = token_data if @credential_source_format_type == "text" token = content else begin response_data = MultiJson.load content, symbolize_keys: true token = response_data[@credential_source_field_name.to_sym] rescue StandardError raise "Unable to parse subject_token from JSON resource #{resource_name} " \ "using key #{@credential_source_field_name}" end end raise "Missing subject_token in the credential_source file/response." unless token token end
Implementation of BaseCredentials
retrieve_subject_token!
Private Instance Methods
Source
# File lib/googleauth/external_account/identity_pool_credentials.rb, line 98 def file_data raise "File #{@credential_source_file} was not found." unless File.exist? @credential_source_file content = File.read @credential_source_file, encoding: "utf-8" [content, @credential_source_file] end
Source
# File lib/googleauth/external_account/identity_pool_credentials.rb, line 94 def token_data @credential_source_file.nil? ? url_data : file_data end
Source
# File lib/googleauth/external_account/identity_pool_credentials.rb, line 104 def url_data begin response = connection.get @credential_source_url do |req| req.headers.merge! @credential_source_headers end rescue Faraday::Error => e raise "Error retrieving from credential url: #{e}" end raise "Unable to retrieve Identity Pool subject token #{response.body}" unless response.success? [response.body, @credential_source_url] end
Source
# File lib/googleauth/external_account/identity_pool_credentials.rb, line 73 def validate_credential_source # `environment_id` is only supported in AWS or dedicated future external account credentials. unless @credential_source[:environment_id].nil? raise "Invalid Identity Pool credential_source field 'environment_id'" end unless ["json", "text"].include? @credential_source_format_type raise "Invalid credential_source format #{@credential_source_format_type}" end # for JSON types, get the required subject_token field name. @credential_source_field_name = @credential_source_format[:subject_token_field_name] if @credential_source_format_type == "json" && @credential_source_field_name.nil? raise "Missing subject_token_field_name for JSON credential_source format" end # check file or url must be fulfilled and mutually exclusiveness. if @credential_source_file && @credential_source_url raise "Ambiguous credential_source. 'file' is mutually exclusive with 'url'." end return unless (@credential_source_file || @credential_source_url).nil? raise "Missing credential_source. A 'file' or 'url' must be provided." end