Client for IAM Service Account Credentials API#
-
class
google.cloud.iam_credentials_v1.
IAMCredentialsClient
(transport=None, channel=None, credentials=None, client_config=None, client_info=None, client_options=None)[source]# A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren’t directly involved.
Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.
Constructor.
- Parameters
(Union[IamCredentialsGrpcTransport, (transport) – Callable[[~.Credentials, type], ~.IamCredentialsGrpcTransport]): A transport instance, responsible for actually making the API calls. The default transport uses the gRPC protocol. This argument may also be a callable which returns a transport instance. Callables will be sent the credentials as the first argument and the default transport class as the second argument.
channel (grpc.Channel) – DEPRECATED. A
Channel
instance through which to make calls. This argument is mutually exclusive withcredentials
; providing both will raise an exception.credentials (google.auth.credentials.Credentials) – The authorization credentials to attach to requests. These credentials identify this application to the service. If none are specified, the client will attempt to ascertain the credentials from the environment. This argument is mutually exclusive with providing a transport instance to
transport
; doing so will raise an exception.client_config (dict) – DEPRECATED. A dictionary of call options for each method. If not specified, the default configuration is used.
client_info (google.api_core.gapic_v1.client_info.ClientInfo) – The client info used to send a user-agent string along with API requests. If
None
, then default info will be used. Generally, you only need to set this if you’re developing your own client library.client_options (Union[dict, google.api_core.client_options.ClientOptions]) – Client options used to set user options on the client. API Endpoint should be set through client_options.
-
classmethod
from_service_account_file
(filename, *args, **kwargs)[source]# Creates an instance of this client using the provided credentials file.
- Parameters
filename (str) – The path to the service account private key json file.
args – Additional arguments to pass to the constructor.
kwargs – Additional arguments to pass to the constructor.
- Returns
The constructed client.
- Return type
-
classmethod
from_service_account_json
(filename, *args, **kwargs)# Creates an instance of this client using the provided credentials file.
- Parameters
filename (str) – The path to the service account private key json file.
args – Additional arguments to pass to the constructor.
kwargs – Additional arguments to pass to the constructor.
- Returns
The constructed client.
- Return type
-
generate_access_token
(name, scope, delegates=None, lifetime=None, retry=<object object>, timeout=<object object>, metadata=None)[source]# Generates an OAuth 2.0 access token for a service account.
Example
>>> from google.cloud import iam_credentials_v1 >>> >>> client = iam_credentials_v1.IAMCredentialsClient() >>> >>> name = client.service_account_path('[PROJECT]', '[SERVICE_ACCOUNT]') >>> >>> # TODO: Initialize `scope`: >>> scope = [] >>> >>> response = client.generate_access_token(name, scope)
- Parameters
name (str) – The resource name of the service account for which the credentials are requested, in the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
.scope (list[str]) – Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.
The sequence of service accounts in a delegation chain. Each service account must be granted the
roles/iam.serviceAccountTokenCreator
role on its next service account in the chain. The last service account in the chain must be granted theroles/iam.serviceAccountTokenCreator
role on the service account that is specified in thename
field of the request.The delegates must have the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
lifetime (Union[dict, Duration]) –
The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token’s lifetime will be set to a default value of one hour.
If a dict is provided, it must be of the same form as the protobuf message
Duration
retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If
None
is specified, requests will be retried using a default configuration.timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if
retry
is specified, the timeout applies to each individual attempt.metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.
- Returns
A
GenerateAccessTokenResponse
instance.- Raises
google.api_core.exceptions.GoogleAPICallError – If the request failed for any reason.
google.api_core.exceptions.RetryError – If the request failed due to a retryable error and retry attempts failed.
ValueError – If the parameters are invalid.
-
generate_id_token
(name, audience, delegates=None, include_email=None, retry=<object object>, timeout=<object object>, metadata=None)[source]# Generates an OpenID Connect ID token for a service account.
Example
>>> from google.cloud import iam_credentials_v1 >>> >>> client = iam_credentials_v1.IAMCredentialsClient() >>> >>> name = client.service_account_path('[PROJECT]', '[SERVICE_ACCOUNT]') >>> >>> # TODO: Initialize `audience`: >>> audience = '' >>> >>> response = client.generate_id_token(name, audience)
- Parameters
name (str) – The resource name of the service account for which the credentials are requested, in the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
.audience (str) – The audience for the token, such as the API or account that this token grants access to.
The sequence of service accounts in a delegation chain. Each service account must be granted the
roles/iam.serviceAccountTokenCreator
role on its next service account in the chain. The last service account in the chain must be granted theroles/iam.serviceAccountTokenCreator
role on the service account that is specified in thename
field of the request.The delegates must have the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
include_email (bool) – Include the service account email in the token. If set to
true
, the token will containemail
andemail_verified
claims.retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If
None
is specified, requests will be retried using a default configuration.timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if
retry
is specified, the timeout applies to each individual attempt.metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.
- Returns
A
GenerateIdTokenResponse
instance.- Raises
google.api_core.exceptions.GoogleAPICallError – If the request failed for any reason.
google.api_core.exceptions.RetryError – If the request failed due to a retryable error and retry attempts failed.
ValueError – If the parameters are invalid.
-
classmethod
service_account_path
(project, service_account)[source]# Return a fully-qualified service_account string.
-
sign_blob
(name, payload, delegates=None, retry=<object object>, timeout=<object object>, metadata=None)[source]# Signs a blob using a service account’s system-managed private key.
Example
>>> from google.cloud import iam_credentials_v1 >>> >>> client = iam_credentials_v1.IAMCredentialsClient() >>> >>> name = client.service_account_path('[PROJECT]', '[SERVICE_ACCOUNT]') >>> >>> # TODO: Initialize `payload`: >>> payload = b'' >>> >>> response = client.sign_blob(name, payload)
- Parameters
name (str) – The resource name of the service account for which the credentials are requested, in the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
.payload (bytes) – The bytes to sign.
The sequence of service accounts in a delegation chain. Each service account must be granted the
roles/iam.serviceAccountTokenCreator
role on its next service account in the chain. The last service account in the chain must be granted theroles/iam.serviceAccountTokenCreator
role on the service account that is specified in thename
field of the request.The delegates must have the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If
None
is specified, requests will be retried using a default configuration.timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if
retry
is specified, the timeout applies to each individual attempt.metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.
- Returns
A
SignBlobResponse
instance.- Raises
google.api_core.exceptions.GoogleAPICallError – If the request failed for any reason.
google.api_core.exceptions.RetryError – If the request failed due to a retryable error and retry attempts failed.
ValueError – If the parameters are invalid.
-
sign_jwt
(name, payload, delegates=None, retry=<object object>, timeout=<object object>, metadata=None)[source]# Signs a JWT using a service account’s system-managed private key.
Example
>>> from google.cloud import iam_credentials_v1 >>> >>> client = iam_credentials_v1.IAMCredentialsClient() >>> >>> name = client.service_account_path('[PROJECT]', '[SERVICE_ACCOUNT]') >>> >>> # TODO: Initialize `payload`: >>> payload = '' >>> >>> response = client.sign_jwt(name, payload)
- Parameters
name (str) – The resource name of the service account for which the credentials are requested, in the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
.payload (str) – The JWT payload to sign: a JSON object that contains a JWT Claims Set.
The sequence of service accounts in a delegation chain. Each service account must be granted the
roles/iam.serviceAccountTokenCreator
role on its next service account in the chain. The last service account in the chain must be granted theroles/iam.serviceAccountTokenCreator
role on the service account that is specified in thename
field of the request.The delegates must have the following format:
projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If
None
is specified, requests will be retried using a default configuration.timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if
retry
is specified, the timeout applies to each individual attempt.metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.
- Returns
A
SignJwtResponse
instance.- Raises
google.api_core.exceptions.GoogleAPICallError – If the request failed for any reason.
google.api_core.exceptions.RetryError – If the request failed due to a retryable error and retry attempts failed.
ValueError – If the parameters are invalid.