googleauth 1.15.1 → 1.16.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/Credentials.md +1 -1
- data/README.md +0 -1
- data/lib/googleauth/default_credentials.rb +3 -0
- data/lib/googleauth/external_account.rb +9 -0
- data/lib/googleauth/impersonated_service_account.rb +53 -1
- data/lib/googleauth/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4cadf68940056f975d386c6cb0cc55b4e1dcebb72a0313a5a5b58347994fa9dd
|
|
4
|
+
data.tar.gz: cad38a2d2014e88abda0e63092786302294c2e963a4e4fca56a681ec7f84f08b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 195efa15c10d767d5ab032291d1c341e760e9bbf326f025f705595e09e6f122f18d582a185ca6c1604a710b8facc11b37cb02e04664b4ba2488b8a85e2318f47
|
|
7
|
+
data.tar.gz: ce881af766994bd312208a9531da24a92efa6f3311abae02cda4f7c1b1d303f54d765b571574745d0cc61cd35e8cc9ceccfdc39a8d9d5368dad6e18f6dbcbd3d
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,14 @@
|
|
|
1
1
|
# Release History
|
|
2
2
|
|
|
3
|
+
### 1.16.0 (2025-11-21)
|
|
4
|
+
|
|
5
|
+
#### Features
|
|
6
|
+
|
|
7
|
+
* Add ADC support for impersonated credentials ([#547](https://github.com/googleapis/google-auth-library-ruby/issues/547))
|
|
8
|
+
#### Bug Fixes
|
|
9
|
+
|
|
10
|
+
* Include security warning in ExternalAccount and ImpersonatedServiceAccount credentials ([#551](https://github.com/googleapis/google-auth-library-ruby/issues/551))
|
|
11
|
+
|
|
3
12
|
### 1.15.1 (2025-10-14)
|
|
4
13
|
|
|
5
14
|
#### Bug Fixes
|
data/Credentials.md
CHANGED
|
@@ -66,7 +66,7 @@ that exposes common initialization functionality, such as creating credentials f
|
|
|
66
66
|
- Allows a GCP principal identified by a set of source credentials to impersonate a service account
|
|
67
67
|
- Useful for delegation of authority and managing permissions across service accounts
|
|
68
68
|
- Source credentials must have the Service Account Token Creator role on the target
|
|
69
|
-
- This credential type
|
|
69
|
+
- This credential type supports JSON configuration. The JSON form of this credential type has a `"type"` field with the value `"impersonated_service_account"`.
|
|
70
70
|
|
|
71
71
|
## User Authentication
|
|
72
72
|
|
data/README.md
CHANGED
|
@@ -292,5 +292,4 @@ hesitate to
|
|
|
292
292
|
about the client or APIs on [StackOverflow](http://stackoverflow.com).
|
|
293
293
|
|
|
294
294
|
[application default credentials]: https://cloud.google.com/docs/authentication/provide-credentials-adc
|
|
295
|
-
[contributing]: https://github.com/googleapis/google-auth-library-ruby/tree/main/.github/CONTRIBUTING.md
|
|
296
295
|
[license]: https://github.com/googleapis/google-auth-library-ruby/tree/main/LICENSE
|
|
@@ -21,6 +21,7 @@ require "googleauth/external_account"
|
|
|
21
21
|
require "googleauth/service_account"
|
|
22
22
|
require "googleauth/service_account_jwt_header"
|
|
23
23
|
require "googleauth/user_refresh"
|
|
24
|
+
require "googleauth/impersonated_service_account"
|
|
24
25
|
|
|
25
26
|
module Google
|
|
26
27
|
# Module Auth provides classes that provide Google-specific authorization
|
|
@@ -114,6 +115,8 @@ module Google
|
|
|
114
115
|
UserRefreshCredentials
|
|
115
116
|
when ExternalAccount::Credentials::CREDENTIAL_TYPE_NAME
|
|
116
117
|
ExternalAccount::Credentials
|
|
118
|
+
when ImpersonatedServiceAccountCredentials::CREDENTIAL_TYPE_NAME
|
|
119
|
+
ImpersonatedServiceAccountCredentials
|
|
117
120
|
else
|
|
118
121
|
raise InitializationError, "credentials type '#{type}' is not supported"
|
|
119
122
|
end
|
|
@@ -40,6 +40,15 @@ module Google
|
|
|
40
40
|
|
|
41
41
|
# Create a ExternalAccount::Credentials
|
|
42
42
|
#
|
|
43
|
+
# @note Warning:
|
|
44
|
+
# This method does not validate the credential configuration. A security
|
|
45
|
+
# risk occurs when a credential configuration configured with malicious urls
|
|
46
|
+
# is used.
|
|
47
|
+
# When the credential configuration is accepted from an
|
|
48
|
+
# untrusted source, you should validate it before using with this method.
|
|
49
|
+
# See https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
|
|
50
|
+
# for more details.
|
|
51
|
+
#
|
|
43
52
|
# @param options [Hash] Options for creating credentials
|
|
44
53
|
# @option options [IO] :json_key_io (required) An IO object containing the JSON key
|
|
45
54
|
# @option options [String,Array,nil] :scope The scope(s) to access
|
|
@@ -23,6 +23,9 @@ module Google
|
|
|
23
23
|
# and then that claim is exchanged for a short-lived token at an IAMCredentials endpoint.
|
|
24
24
|
# The short-lived token and its expiration time are cached.
|
|
25
25
|
class ImpersonatedServiceAccountCredentials
|
|
26
|
+
# @private
|
|
27
|
+
CREDENTIAL_TYPE_NAME = "impersonated_service_account".freeze
|
|
28
|
+
|
|
26
29
|
# @private
|
|
27
30
|
ERROR_SUFFIX = <<~ERROR.freeze
|
|
28
31
|
when trying to get security access token
|
|
@@ -69,6 +72,15 @@ module Google
|
|
|
69
72
|
# and request short-lived credentials for a service account
|
|
70
73
|
# that has the authorization that your use case requires.
|
|
71
74
|
#
|
|
75
|
+
# @note Warning:
|
|
76
|
+
# This method does not validate the credential configuration. A security
|
|
77
|
+
# risk occurs when a credential configuration configured with malicious urls
|
|
78
|
+
# is used.
|
|
79
|
+
# When the credential configuration is accepted from an
|
|
80
|
+
# untrusted source, you should validate it before using with this method.
|
|
81
|
+
# See https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
|
|
82
|
+
# for more details.
|
|
83
|
+
#
|
|
72
84
|
# @param options [Hash] A hash of options to configure the credentials.
|
|
73
85
|
# @option options [Object] :base_credentials (required) The authenticated principal.
|
|
74
86
|
# It will be used as following:
|
|
@@ -84,11 +96,50 @@ module Google
|
|
|
84
96
|
# defining the permissions required for the token.
|
|
85
97
|
# @option options [Object] :source_credentials The authenticated principal that will be used
|
|
86
98
|
# to fetch the short-lived impersonation access token. It is an alternative to providing the base credentials.
|
|
99
|
+
# @option options [IO] :json_key_io The IO object that contains the credential configuration.
|
|
100
|
+
# It is exclusive with `:base_credentials` and `:source_credentials` options.
|
|
87
101
|
#
|
|
88
102
|
# @return [Google::Auth::ImpersonatedServiceAccountCredentials]
|
|
89
103
|
def self.make_creds options = {}
|
|
90
|
-
|
|
104
|
+
if options[:json_key_io]
|
|
105
|
+
make_creds_from_json options
|
|
106
|
+
else
|
|
107
|
+
new options
|
|
108
|
+
end
|
|
109
|
+
end
|
|
110
|
+
|
|
111
|
+
# @private
|
|
112
|
+
def self.make_creds_from_json options
|
|
113
|
+
json_key_io = options[:json_key_io]
|
|
114
|
+
if options[:base_credentials] || options[:source_credentials]
|
|
115
|
+
raise Google::Auth::InitializationError,
|
|
116
|
+
"json_key_io is not compatible with base_credentials or source_credentials"
|
|
117
|
+
end
|
|
118
|
+
|
|
119
|
+
require "googleauth/default_credentials"
|
|
120
|
+
impersonated_json = MultiJson.load json_key_io.read
|
|
121
|
+
source_credentials_info = impersonated_json["source_credentials"]
|
|
122
|
+
|
|
123
|
+
if source_credentials_info["type"] == CREDENTIAL_TYPE_NAME
|
|
124
|
+
raise Google::Auth::InitializationError,
|
|
125
|
+
"Source credentials can't be of type impersonated_service_account, " \
|
|
126
|
+
"use delegates to chain impersonation."
|
|
127
|
+
end
|
|
128
|
+
|
|
129
|
+
source_credentials = DefaultCredentials.make_creds(
|
|
130
|
+
json_key_io: StringIO.new(MultiJson.dump(source_credentials_info))
|
|
131
|
+
)
|
|
132
|
+
|
|
133
|
+
impersonation_url = impersonated_json["service_account_impersonation_url"]
|
|
134
|
+
scope = options[:scope] || impersonated_json["scopes"]
|
|
135
|
+
|
|
136
|
+
new(
|
|
137
|
+
source_credentials: source_credentials,
|
|
138
|
+
impersonation_url: impersonation_url,
|
|
139
|
+
scope: scope
|
|
140
|
+
)
|
|
91
141
|
end
|
|
142
|
+
private_class_method :make_creds_from_json
|
|
92
143
|
|
|
93
144
|
# Initializes a new instance of ImpersonatedServiceAccountCredentials.
|
|
94
145
|
#
|
|
@@ -105,6 +156,7 @@ module Google
|
|
|
105
156
|
# - `{source_sa_email}` is the email address of the service account to impersonate.
|
|
106
157
|
# @option options [Array<String>, String] :scope (required) The scope(s) for the short-lived impersonation token,
|
|
107
158
|
# defining the permissions required for the token.
|
|
159
|
+
# It will override the scope from the `json_key_io` file if provided.
|
|
108
160
|
# @option options [Object] :source_credentials The authenticated principal that will be used
|
|
109
161
|
# to fetch the short-lived impersonation access token. It is an alternative to providing the base credentials.
|
|
110
162
|
# It is redundant to provide both source and base credentials as only source will be used,
|
data/lib/googleauth/version.rb
CHANGED