Package credentials

func DetectDefault ¶

func DetectDefault(opts *DetectOptions) (*auth.Credentials, error)

DetectDefault searches for "Application Default Credentials" and returns a credential based on the DetectOptions provided.

It looks for credentials in the following places, preferring the first location found:

• A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable. For workload identity federation, refer to https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation on how to generate the JSON configuration file for on-prem/non-Google cloud platforms.
• A JSON file in a location known to the gcloud command-line tool. On Windows, this is %APPDATA%/gcloud/application_default_credentials.json. On other systems, $HOME/.config/gcloud/application_default_credentials.json.
• On Google Compute Engine, Google App Engine standard second generation runtimes, and Google App Engine flexible environment, it fetches credentials from the metadata server.

creds, err := credentials.DetectDefault(&credentials.DetectOptions{
    Scopes: []string{"https://www.googleapis.com/auth/devstorage.full_control"},
})
if err != nil {
    log.Fatal(err)
}
client, err := httptransport.NewClient(&httptransport.Options{
    Credentials: creds,
})
if err != nil {
    log.Fatal(err)
}
client.Get("...")

// Your credentials should be obtained from the Google
// Developer Console (https://console.developers.google.com).
// Navigate to your project, then see the "Credentials" page
// under "APIs & Auth".
// To create a service account client, click "Create new Client ID",
// select "Service Account", and click "Create Client ID". A JSON
// key file will then be downloaded to your computer.
filepath := "/path/to/your-project-key.json"
creds, err := credentials.DetectDefault(&credentials.DetectOptions{
    Scopes:          []string{"https://www.googleapis.com/auth/bigquery"},
    CredentialsFile: filepath,
})
if err != nil {
    log.Fatal(err)
}
client, err := httptransport.NewClient(&httptransport.Options{
    Credentials: creds,
})
if err != nil {
    log.Fatal(err)
}
client.Get("...")

data, err := os.ReadFile("/path/to/key-file.json")
if err != nil {
    log.Fatal(err)
}
creds, err := credentials.DetectDefault(&credentials.DetectOptions{
    Scopes:          []string{"https://www.googleapis.com/auth/bigquery"},
    CredentialsJSON: data,
})
if err != nil {
    log.Fatal(err)
}
client, err := httptransport.NewClient(&httptransport.Options{
    Credentials: creds,
})
if err != nil {
    log.Fatal(err)
}
client.Get("...")

func OnGCE ¶

func OnGCE() bool

OnGCE reports whether this process is running in Google Cloud.

type DetectOptions ¶

DetectOptions provides configuration for DetectDefault.

type DetectOptions struct {
    // Scopes that credentials tokens should have. Example:
    // https://www.googleapis.com/auth/cloud-platform. Required if Audience is
    // not provided.
    Scopes []string
    // Audience that credentials tokens should have. Only applicable for 2LO
    // flows with service accounts. If specified, scopes should not be provided.
    Audience string
    // Subject is the user email used for [domain wide delegation](https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority).
    // Optional.
    Subject string
    // EarlyTokenRefresh configures how early before a token expires that it
    // should be refreshed.
    EarlyTokenRefresh time.Duration
    // AuthHandlerOptions configures an authorization handler and other options
    // for 3LO flows. It is required, and only used, for client credential
    // flows.
    AuthHandlerOptions *auth.AuthorizationHandlerOptions
    // TokenURL allows to set the token endpoint for user credential flows. If
    // unset the default value is: https://oauth2.googleapis.com/token.
    // Optional.
    TokenURL string
    // STSAudience is the audience sent to when retrieving an STS token.
    // Currently this only used for GDCH auth flow, for which it is required.
    STSAudience string
    // CredentialsFile overrides detection logic and sources a credential file
    // from the provided filepath. If provided, CredentialsJSON must not be.
    // Optional.
    CredentialsFile string
    // CredentialsJSON overrides detection logic and uses the JSON bytes as the
    // source for the credential. If provided, CredentialsFile must not be.
    // Optional.
    CredentialsJSON []byte
    // UseSelfSignedJWT directs service account based credentials to create a
    // self-signed JWT with the private key found in the file, skipping any
    // network requests that would normally be made. Optional.
    UseSelfSignedJWT bool
    // Client configures the underlying client used to make network requests
    // when fetching tokens. Optional.
    Client *http.Client
    // UniverseDomain is the default service domain for a given Cloud universe.
    // The default value is "googleapis.com". This option is ignored for
    // authentication flows that do not support universe domain. Optional.
    UniverseDomain string
}

Subdirectories