google_cloud_auth::credentials

Struct Builder

Source 
pub struct Builder { /* private fields */ }
Expand description

A builder for constructing Credentials instances.

By default (using Builder::default), the builder is configured to load credentials according to the standard Application Default Credentials (ADC) strategy. ADC is the recommended approach for most applications and conforms to AIP-4110. If you need to load credentials from a non-standard location or source, you can provide specific credential JSON directly using Builder::new.

Common use cases where using ADC would is useful include:

  • Your application is deployed to a Google Cloud environment such as Google Compute Engine (GCE), Google Kubernetes Engine (GKE), or Cloud Run. Each of these deployment environments provides a default service account to the application, and offers mechanisms to change this default service account without any code changes to your application.
  • You are testing or developing the application on a workstation (physical or virtual). These credentials will use your preferences as set with gcloud auth application-default. These preferences can be your own Gooogle Cloud user credentials, or some service account.
  • Regardless of where your application is running, you can use the GOOGLE_APPLICATION_CREDENTIALS environment variable to override the defaults. This environment variable should point to a file containing a service account key file, or a JSON object describing your user credentials.

The headers returned by these credentials should be used in the Authorization HTTP header.

The Google Cloud client libraries for Rust will typically find and use these credentials automatically if a credentials file exists in the standard ADC search paths. You might instantiate these credentials either via ADC or a specific JSON file, if you need to:

  • Override the OAuth 2.0 scopes being requested for the access token.
  • Override the quota project ID for billing and quota management.

Example usage:

Fetching headers using ADC

let credentials = Builder::default()
    .with_quota_project_id("my-project")
    .build()?;
let headers = credentials.headers(Extensions::new()).await?;
println!("Headers: {headers:?}");

Fetching headers using custom JSON

let authorized_user = serde_json::json!({
    "client_id": "YOUR_CLIENT_ID.apps.googleusercontent.com", // Replace with your actual Client ID
    "client_secret": "YOUR_CLIENT_SECRET", // Replace with your actual Client Secret - LOAD SECURELY!
    "refresh_token": "YOUR_REFRESH_TOKEN", // Replace with the user's refresh token - LOAD SECURELY!
    "type": "authorized_user",
    // "quota_project_id": "your-billing-project-id", // Optional: Set if needed
    // "token_uri" : "test-token-uri", // Optional: Set if needed
});

let creds = Builder::new(authorized_user)
    .with_quota_project_id("my-project")
    .build()?;
let headers = creds.headers(Extensions::new()).await?;
println!("Headers: {headers:?}");

Implementations§

Source§

impl Builder

Source

pub fn new(json: Value) -> Self

Creates a new builder with given credentials json.

§Example
let authorized_user = serde_json::json!({ /* add details here */ });
let credentials = Builder::new(authorized_user).build();
Source

pub fn with_quota_project_id<S: Into<String>>(self, quota_project_id: S) -> Self

Sets the quota project for these credentials.

In some services, you can use an account in one project for authentication and authorization, and charge the usage to a different project. This requires that the user has serviceusage.services.use permissions on the quota project.

§Example
let credentials = Builder::default()
    .with_quota_project_id("my-project")
    .build();
Source

pub fn with_scopes<I, S>(self, scopes: I) -> Self
where I: IntoIterator<Item = S>, S: Into<String>,

Sets the scopes for these credentials.

scopes act as an additional restriction in addition to the IAM permissions granted to the principal (user or service account) that creates the token.

scopes define the permissions being requested for this specific access token when interacting with a service. For example, https://www.googleapis.com/auth/devstorage.read_write.

IAM permissions, on the other hand, define the underlying capabilities the principal possesses within a system. For example, storage.buckets.delete.

The credentials certify that a particular token was created by a certain principal.

When a token generated with specific scopes is used, the request must be permitted by both the the principals’s underlying IAM permissions and the scopes requested for the token.

Source

pub fn build(self) -> Result<Credentials, CredentialsError>

Returns a Credentials instance with the configured settings.

§Errors

Returns a CredentialsError if a unsupported credential type is provided or if the json provided to Builder::new cannot be successfully deserialized into the expected format. This typically happens if the JSON value is malformed or missing required fields. For more information, on how to generate json, consult the relevant section in the application-default credentials guide.

Trait Implementations§

Source§

impl Debug for Builder

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for Builder

Source§

fn default() -> Self

Creates a new builder where credentials will be obtained via application-default login.

§Example
let credentials = Builder::default().build();

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> ErasedDestructor for T
where T: 'static,