GCP auth provides authentication using service accounts Google Cloud Platform (GCP)
The library looks for authentication methods in the following order:
- Path to service account JSON configuration file using GOOGLE_APPLICATION_CREDENTIALS environment variable. The service account configuration file can be downloaded in the IAM service when displaying service account detail. The downloaded JSON file should be provided without any further modification.
- Invoking the library inside GCP environment fetches the default service account for the service and the application is authenticated using that particular account
- Application default credentials. Local user authentication for development purposes created using
- If none of the above can be used an error occurs
The tokens are single-use and as such they shouldn’t be cached and for each use a new token should be requested. Library handles token caching for their lifetime and so it won’t make a request if a token with appropriate scope is available.
When running inside GCP the library can be asked directly without any further configuration to provide a Bearer token for the current service account of the service.
let authentication_manager = gcp_auth::init().await?; let token = authentication_manager.get_token().await?;
When running outside of GCP e.g on development laptop to allow finer granularity for permission a
custom service account can be used. To use a custom service account a configuration file containing key
has to be downloaded in IAM service for the service account you intend to use. The configuration file has to
be available to the application at run time. The path to the configuration file is specified by
GOOGLE_APPLICATION_CREDENTIALS environment variable.
// GOOGLE_APPLICATION_CREDENTIALS environment variable is set-up let authentication_manager = gcp_auth::init().await?; let token = authentication_manager.get_token().await?;
You may instantiate
authentication_manager from a credentials file path using the method
// `credentials_path` variable is the path for the credentials `.json` file. let authentication_manager = gcp_auth::from_credentials_file(credentials_path).await?; let token = authentication_manager.get_token().await?;
This authentication method allows developers to authenticate again GCP services when developing locally.
The method is intended only for development. Credentials can be set-up using
gcloud auth utility.
Credentials are read from file
Authentication manager is responsible for caching and obtaing credentials for the required scope
Represents an access token. All access tokens are Bearer tokens.
Enumerates all possible errors returned by this library.