Crate gcp_auth

GCP auth provides authentication using service accounts Google Cloud Platform (GCP)

GCP auth is a simple, minimal authentication library for Google Cloud Platform (GCP) providing authentication using service accounts. Once authenticated, the service account can be used to acquire bearer tokens for use in authenticating against GCP services.

The library supports the following methods of retrieving tokens:

1. Reading custom service account credentials from the path pointed to by the GOOGLE_APPLICATION_CREDENTIALS environment variable. Alternatively, custom service account credentials can be read from a JSON file or string.
2. Look for credentials in .config/gcloud/application_default_credentials.json; if found, use these credentials to request refresh tokens. This file can be created by invoking gcloud auth application-default login.
3. Use the default service account by retrieving a token from the metadata server.
4. Retrieving a token from the gcloud CLI tool, if it is available on the PATH.

For more details, see provider().

A TokenProvider handles caching tokens for their lifetime; it will not make a request if an appropriate token is already cached. Therefore, the caller should not cache tokens.

Simple usage

The default way to use this library is to select the appropriate token provider using provider(). It will find the appropriate authentication method and use it to retrieve tokens.

let provider = gcp_auth::provider().await?;
let scopes = &["https://www.googleapis.com/auth/cloud-platform"];
let token = provider.token(scopes).await?;

Supplying service account credentials

When running outside of GCP (for example, on a development machine), it can be useful to supply service account credentials. The first method checked by provider() is to read a path to a file containing JSON credentials in the GOOGLE_APPLICATION_CREDENTIALS environment variable. However, you may also supply a custom path to read credentials from, or a &str containing the credentials. In both of these cases, you should create a CustomServiceAccount directly using one of its associated functions:

use gcp_auth::{CustomServiceAccount, TokenProvider};

// `credentials_path` variable is the path for the credentials `.json` file.
let credentials_path = PathBuf::from("service-account.json");
let service_account = CustomServiceAccount::from_file(credentials_path)?;
let scopes = &["https://www.googleapis.com/auth/cloud-platform"];
let token = service_account.token(scopes).await?;

Getting tokens in multi-thread or async environments

Using a OnceCell makes it easy to reuse the [AuthenticationManager] across different threads or async tasks.

use std::sync::Arc;
use tokio::sync::OnceCell;
use gcp_auth::TokenProvider;

static TOKEN_PROVIDER: OnceCell<Arc<dyn TokenProvider>> = OnceCell::const_new();

async fn token_provider() -> &'static Arc<dyn TokenProvider> {
    TOKEN_PROVIDER
        .get_or_init(|| async {
            gcp_auth::provider()
                .await
                .expect("unable to initialize token provider")
        })
        .await
}

Structs

• ConfigDefaultCredentials
  A token provider that uses the default user credentials
• CustomServiceAccount
  A custom service account containing credentials
• GCloudAuthorizedUser
  A token provider that queries the gcloud CLI for access tokens
• MetadataServiceAccount
  A token provider that queries the GCP instance metadata server for access tokens
• Signer
  An RSA PKCS1 SHA256 signer
• Token
  Represents an access token that can be used as a bearer token in HTTP requests

Enums

• Error
  Enumerates all possible errors returned by this library.

Traits

• TokenProvider
  A trait for an authentication context that can provide tokens

Functions

• provider
  Finds a service account provider to get authentication tokens from