Reference documentation and code samples for the IAM Service Account Credentials V1 API class Google::Iam::Credentials::V1::IAMCredentials::Client.
Client for the IAMCredentials service.
A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.
Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.
Inherits
- Object
Methods
.configure
def self.configure() { |config| ... } -> Client::ConfigurationConfigure the IAMCredentials Client class.
See Configuration for a description of the configuration fields.
- (config) — Configure the Client client.
- config (Client::Configuration)
# Modify the configuration for all IAMCredentials clients ::Google::Iam::Credentials::V1::IAMCredentials::Client.configure do |config| config.timeout = 10.0 end
#configure
def configure() { |config| ... } -> Client::ConfigurationConfigure the IAMCredentials Client instance.
The configuration is set to the derived mode, meaning that values can be changed, but structural changes (adding new fields, etc.) are not allowed. Structural changes should be made on Client.configure.
See Configuration for a description of the configuration fields.
- (config) — Configure the Client client.
- config (Client::Configuration)
#generate_access_token
def generate_access_token(request, options = nil) -> ::Google::Iam::Credentials::V1::GenerateAccessTokenResponse def generate_access_token(name: nil, delegates: nil, scope: nil, lifetime: nil) -> ::Google::Iam::Credentials::V1::GenerateAccessTokenResponseGenerates an OAuth 2.0 access token for a service account.
def generate_access_token(request, options = nil) -> ::Google::Iam::Credentials::V1::GenerateAccessTokenResponsegenerate_access_token via a request object, either of type GenerateAccessTokenRequest or an equivalent Hash. - request (::Google::Iam::Credentials::V1::GenerateAccessTokenRequest, ::Hash) — A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.
- options (::Gapic::CallOptions, ::Hash) — Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
def generate_access_token(name: nil, delegates: nil, scope: nil, lifetime: nil) -> ::Google::Iam::Credentials::V1::GenerateAccessTokenResponsegenerate_access_token via keyword arguments. Note that at least one keyword argument is required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash as a request object (see above). -  name (::String) — Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The-wildcard character is required; replacing it with a project ID is invalid.
-  delegates (::Array<::String>) — The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreatorrole on its next service account in the chain. The last service account in the chain must be granted theroles/iam.serviceAccountTokenCreatorrole on the service account that is specified in thenamefield of the request.The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The-wildcard character is required; replacing it with a project ID is invalid.
- scope (::Array<::String>) — Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.
- lifetime (::Google::Protobuf::Duration, ::Hash) — The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.
- (response, operation) — Access the result along with the RPC operation
- response (::Google::Iam::Credentials::V1::GenerateAccessTokenResponse)
- operation (::GRPC::ActiveCall::Operation)
- (::Google::Cloud::Error) — if the RPC is aborted.
Basic example
require "google/iam/credentials/v1" # Create a client object. The client can be reused for multiple calls. client = Google::Iam::Credentials::V1::IAMCredentials::Client.new # Create a request. To set request fields, pass in keyword arguments. request = Google::Iam::Credentials::V1::GenerateAccessTokenRequest.new # Call the generate_access_token method. result = client.generate_access_token request # The returned object is of type Google::Iam::Credentials::V1::GenerateAccessTokenResponse. p result
#generate_id_token
def generate_id_token(request, options = nil) -> ::Google::Iam::Credentials::V1::GenerateIdTokenResponse def generate_id_token(name: nil, delegates: nil, audience: nil, include_email: nil) -> ::Google::Iam::Credentials::V1::GenerateIdTokenResponseGenerates an OpenID Connect ID token for a service account.
def generate_id_token(request, options = nil) -> ::Google::Iam::Credentials::V1::GenerateIdTokenResponsegenerate_id_token via a request object, either of type GenerateIdTokenRequest or an equivalent Hash. - request (::Google::Iam::Credentials::V1::GenerateIdTokenRequest, ::Hash) — A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.
- options (::Gapic::CallOptions, ::Hash) — Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
def generate_id_token(name: nil, delegates: nil, audience: nil, include_email: nil) -> ::Google::Iam::Credentials::V1::GenerateIdTokenResponsegenerate_id_token via keyword arguments. Note that at least one keyword argument is required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash as a request object (see above). -  name (::String) — Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The-wildcard character is required; replacing it with a project ID is invalid.
-  delegates (::Array<::String>) — The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreatorrole on its next service account in the chain. The last service account in the chain must be granted theroles/iam.serviceAccountTokenCreatorrole on the service account that is specified in thenamefield of the request.The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The-wildcard character is required; replacing it with a project ID is invalid.
- audience (::String) — Required. The audience for the token, such as the API or account that this token grants access to.
-  include_email (::Boolean) — Include the service account email in the token. If set to true, the token will containemailandemail_verifiedclaims.
- (response, operation) — Access the result along with the RPC operation
- response (::Google::Iam::Credentials::V1::GenerateIdTokenResponse)
- operation (::GRPC::ActiveCall::Operation)
- (::Google::Cloud::Error) — if the RPC is aborted.
Basic example
require "google/iam/credentials/v1" # Create a client object. The client can be reused for multiple calls. client = Google::Iam::Credentials::V1::IAMCredentials::Client.new # Create a request. To set request fields, pass in keyword arguments. request = Google::Iam::Credentials::V1::GenerateIdTokenRequest.new # Call the generate_id_token method. result = client.generate_id_token request # The returned object is of type Google::Iam::Credentials::V1::GenerateIdTokenResponse. p result
#initialize
def initialize() { |config| ... } -> ClientCreate a new IAMCredentials client object.
- (config) — Configure the IAMCredentials client.
- config (Client::Configuration)
- (Client) — a new instance of Client
# Create a client using the default configuration client = ::Google::Iam::Credentials::V1::IAMCredentials::Client.new # Create a client using a custom configuration client = ::Google::Iam::Credentials::V1::IAMCredentials::Client.new do |config| config.timeout = 10.0 end
#sign_blob
def sign_blob(request, options = nil) -> ::Google::Iam::Credentials::V1::SignBlobResponse def sign_blob(name: nil, delegates: nil, payload: nil) -> ::Google::Iam::Credentials::V1::SignBlobResponseSigns a blob using a service account's system-managed private key.
def sign_blob(request, options = nil) -> ::Google::Iam::Credentials::V1::SignBlobResponsesign_blob via a request object, either of type SignBlobRequest or an equivalent Hash. - request (::Google::Iam::Credentials::V1::SignBlobRequest, ::Hash) — A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.
- options (::Gapic::CallOptions, ::Hash) — Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
def sign_blob(name: nil, delegates: nil, payload: nil) -> ::Google::Iam::Credentials::V1::SignBlobResponsesign_blob via keyword arguments. Note that at least one keyword argument is required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash as a request object (see above). -  name (::String) — Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The-wildcard character is required; replacing it with a project ID is invalid.
-  delegates (::Array<::String>) — The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreatorrole on its next service account in the chain. The last service account in the chain must be granted theroles/iam.serviceAccountTokenCreatorrole on the service account that is specified in thenamefield of the request.The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The-wildcard character is required; replacing it with a project ID is invalid.
- payload (::String) — Required. The bytes to sign.
- (response, operation) — Access the result along with the RPC operation
- response (::Google::Iam::Credentials::V1::SignBlobResponse)
- operation (::GRPC::ActiveCall::Operation)
- (::Google::Cloud::Error) — if the RPC is aborted.
Basic example
require "google/iam/credentials/v1" # Create a client object. The client can be reused for multiple calls. client = Google::Iam::Credentials::V1::IAMCredentials::Client.new # Create a request. To set request fields, pass in keyword arguments. request = Google::Iam::Credentials::V1::SignBlobRequest.new # Call the sign_blob method. result = client.sign_blob request # The returned object is of type Google::Iam::Credentials::V1::SignBlobResponse. p result
#sign_jwt
def sign_jwt(request, options = nil) -> ::Google::Iam::Credentials::V1::SignJwtResponse def sign_jwt(name: nil, delegates: nil, payload: nil) -> ::Google::Iam::Credentials::V1::SignJwtResponseSigns a JWT using a service account's system-managed private key.
def sign_jwt(request, options = nil) -> ::Google::Iam::Credentials::V1::SignJwtResponsesign_jwt via a request object, either of type SignJwtRequest or an equivalent Hash. - request (::Google::Iam::Credentials::V1::SignJwtRequest, ::Hash) — A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.
- options (::Gapic::CallOptions, ::Hash) — Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
def sign_jwt(name: nil, delegates: nil, payload: nil) -> ::Google::Iam::Credentials::V1::SignJwtResponsesign_jwt via keyword arguments. Note that at least one keyword argument is required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash as a request object (see above). -  name (::String) — Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The-wildcard character is required; replacing it with a project ID is invalid.
-  delegates (::Array<::String>) — The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreatorrole on its next service account in the chain. The last service account in the chain must be granted theroles/iam.serviceAccountTokenCreatorrole on the service account that is specified in thenamefield of the request.The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The-wildcard character is required; replacing it with a project ID is invalid.
- payload (::String) — Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
- (response, operation) — Access the result along with the RPC operation
- response (::Google::Iam::Credentials::V1::SignJwtResponse)
- operation (::GRPC::ActiveCall::Operation)
- (::Google::Cloud::Error) — if the RPC is aborted.
Basic example
require "google/iam/credentials/v1" # Create a client object. The client can be reused for multiple calls. client = Google::Iam::Credentials::V1::IAMCredentials::Client.new # Create a request. To set request fields, pass in keyword arguments. request = Google::Iam::Credentials::V1::SignJwtRequest.new # Call the sign_jwt method. result = client.sign_jwt request # The returned object is of type Google::Iam::Credentials::V1::SignJwtResponse. p result
#universe_domain
def universe_domain() -> StringThe effective universe domain
- (String)