Expand description
GCP auth provides authentication using service accounts Google Cloud Platform (GCP)
GCP auth is a simple, minimal authentication library for Google Cloud Platform (GCP) providing authentication using service accounts. Once authenticated, the service account can be used to acquire bearer tokens for use in authenticating against GCP services.
The library supports the following methods of retrieving tokens:
- Reading custom service account credentials from the path pointed to by the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable. Alternatively, custom service account credentials can be read from a JSON file or string. - Look for credentials in
.config/gcloud/application_default_credentials.json; if found, use these credentials to request refresh tokens. This file can be created by invokinggcloud auth application-default login. - Use the default service account by retrieving a token from the metadata server.
- Retrieving a token from the
gcloudCLI tool, if it is available on thePATH.
For more details, see AuthenticationManager::new().
The AuthenticationManager handles caching tokens for their lifetime; it will not make a request if
an appropriate token is already cached. Therefore, the caller should not cache tokens.
§Simple usage
The default way to use this library is to get instantiate an AuthenticationManager. It will
find the appropriate authentication method and use it to retrieve tokens.
use gcp_auth::AuthenticationManager;
let authentication_manager = AuthenticationManager::new().await?;
let scopes = &["https://www.googleapis.com/auth/cloud-platform"];
let token = authentication_manager.get_token(scopes).await?;§Supplying service account credentials
When running outside of GCP (for example, on a development machine), it can be useful to supply
service account credentials. The first method checked by AuthenticationManager::new() is to
read a path to a file containing JSON credentials in the GOOGLE_APPLICATION_CREDENTIALS
environment variable. However, you may also supply a custom path to read credentials from, or
a &str containing the credentials. In both of these cases, you should create a
CustomServiceAccount directly using one of its associated functions:
use gcp_auth::{AuthenticationManager, CustomServiceAccount};
// `credentials_path` variable is the path for the credentials `.json` file.
let credentials_path = PathBuf::from("service-account.json");
let service_account = CustomServiceAccount::from_file(credentials_path)?;
let authentication_manager = AuthenticationManager::try_from(service_account)?;
let scopes = &["https://www.googleapis.com/auth/cloud-platform"];
let token = authentication_manager.get_token(scopes).await?;§Getting tokens in multi-thread or async environments
Using a OnceCell makes it easy to reuse the AuthenticationManager across different
threads or async tasks.
use gcp_auth::AuthenticationManager;
use tokio::sync::OnceCell;
static AUTH_MANAGER: OnceCell<AuthenticationManager> = OnceCell::const_new();
async fn authentication_manager() -> &'static AuthenticationManager {
AUTH_MANAGER
.get_or_init(|| async {
AuthenticationManager::new()
.await
.expect("unable to initialize authentication manager")
})
.await
}Structs§
- Authentication manager is responsible for caching and obtaining credentials for the required scope
- A custom service account containing credentials
- An RSA PKCS1 SHA256 signer
- Represents an access token. All access tokens are Bearer tokens.
Enums§
- Enumerates all possible errors returned by this library.