GCECredentials supports authorization on Google Compute Engine.

It can be used to authorize requests using the AuthTokenMiddleware, but will
only succeed if being run on GCE:

use Google\Auth\Credentials\GCECredentials;
use Google\Auth\Middleware\AuthTokenMiddleware;
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;

$gce = new GCECredentials();
$middleware = new AuthTokenMiddleware($gce);
$stack = HandlerStack::create();
$stack->push($middleware);

$client = new Client([

 'handler' => $stack,
 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/',
 'auth' => 'google_auth'

]);

$res = $client->get('myproject/taskqueues/myqueue');

CloneableInstantiable
ExtendsGoogle\Auth\CredentialsLoader
ImplementsGoogle\Auth\FetchAuthTokenInterface
Google\Auth\GetQuotaProjectInterface
Google\Auth\ProjectIdProviderInterface
Google\Auth\SignBlobInterface
Constants
public Google\Auth\CredentialsLoader::AUTH_METADATA_KEY = 'authorization'
public Google\Auth\Credentials\GCECredentials::cacheKey = 'GOOGLE_AUTH_PHP_GCE'
public Google\Auth\Credentials\GCECredentials::CLIENT_ID_URI_PATH = 'v1/instance/service-accounts/default/email'
 

The metadata path of the client ID.

public Google\Auth\Credentials\GCECredentials::COMPUTE_PING_CONNECTION_TIMEOUT_S = 0.5
public Google\Auth\CredentialsLoader::ENV_VAR = 'GOOGLE_APPLICATION_CREDENTIALS'
public Google\Auth\Credentials\GCECredentials::FLAVOR_HEADER = 'Metadata-Flavor'
 

The header whose presence indicates GCE presence.

public Google\Auth\Credentials\GCECredentials::ID_TOKEN_URI_PATH = 'v1/instance/service-accounts/default/identity'
 

The metadata path of the default id token.

public Google\Auth\Credentials\GCECredentials::MAX_COMPUTE_PING_TRIES = 3
 

Note: the explicit timeout and tries below is a workaround. The underlying
issue is that resolving an unknown host on some networks will take
20-30 seconds; making this timeout short fixes the issue, but
could lead to false negatives in the event that we are on GCE, but
the metadata resolution was particularly slow. The latter case is
"unlikely" since the expected 4-nines time is about 0.5 seconds.

This allows us to limit the total ping maximum timeout to 1.5 seconds
for developer desktop scenarios.

public Google\Auth\Credentials\GCECredentials::METADATA_IP = '169.254.169.254'
 

The metadata IP address on appengine instances.

The IP is used instead of the domain 'metadata' to avoid slow responses
when not on Compute Engine.

public Google\Auth\CredentialsLoader::NON_WINDOWS_WELL_KNOWN_PATH_BASE = '.config'
public Google\Auth\Credentials\GCECredentials::PROJECT_ID_URI_PATH = 'v1/project/project-id'
 

The metadata path of the project ID.

public Google\Auth\CredentialsLoader::TOKEN_CREDENTIAL_URI = 'https://oauth2.googleapis.com/token'
public Google\Auth\Credentials\GCECredentials::TOKEN_URI_PATH = 'v1/instance/service-accounts/default/token'
 

The metadata path of the default token.

public Google\Auth\CredentialsLoader::WELL_KNOWN_PATH = 'gcloud/application_default_credentials.json'
public Google\Auth\GetQuotaProjectInterface::X_GOOG_USER_PROJECT_HEADER = 'X-Goog-User-Project'
Methods
public __construct(?Google\Auth\Iam $iam = NULL, $scope = NULL, $targetAudience = NULL, $quotaProject = NULL)
 
    public fetchAuthToken(?callable $httpHandler = NULL)
     

    Implements FetchAuthTokenInterface#fetchAuthToken.

    Fetches the auth tokens from the GCE metadata host if it is available.
    If $httpHandler is not specified a the default HttpHandler is used.

    • return array A set of auth related metadata, based on the token type. Access tokens have the following keys: - access_token (string) - expires_in (int) - token_type (string) ID tokens have the following keys: - id_token (string)
    • throws Exception
    public static Google\Auth\CredentialsLoader::fromEnv()
     

    Load a JSON key from the path specified in the environment.

    Load a JSON key from the path specified in the environment
    variable GOOGLE_APPLICATION_CREDENTIALS. Return null if
    GOOGLE_APPLICATION_CREDENTIALS is not specified.

    • return array|null JSON key | null
    public static Google\Auth\CredentialsLoader::fromWellKnownFile()
     

    Load a JSON key from a well known path.

    The well known path is OS dependent:

    • windows: %APPDATA%/gcloud/application_default_credentials.json
    • others: $HOME/.config/gcloud/application_default_credentials.json

    If the file does not exist, this returns null.

    • return array|null JSON key | null
    public getCacheKey()
     
    • return string
    public getClientName(?callable $httpHandler = NULL)
     

    Get the client name from GCE metadata.

    Subsequent calls will return a cached value.

    • return string
    public static getClientNameUri()
     

    The full uri for accessing the default service account.

    • return string
    public getLastReceivedToken()
     
    • return array|null
    public getProjectId(?callable $httpHandler = NULL)
     

    Fetch the default Project ID from compute engine.

    Returns null if called outside GCE.

    • return string|null
    public getQuotaProject()
     

    Get the quota project used for this API request

    • return string|null
    public static getTokenUri()
     

    The full uri for accessing the default token.

    • return string
    public Google\Auth\CredentialsLoader::getUpdateMetadataFunc()
     

    export a callback function which updates runtime metadata.

    • return array updateMetadata function
    public static Google\Auth\CredentialsLoader::makeCredentials( $scope, array $jsonKey)
     

    Create a new Credentials instance.

    • return ServiceAccountCredentials|\UserRefreshCredentials
    public static Google\Auth\CredentialsLoader::makeHttpClient(Google\Auth\FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], ?callable $httpHandler = NULL, ?callable $tokenCallback = NULL)
     

    Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

    public static Google\Auth\CredentialsLoader::makeInsecureCredentials()
     

    Create a new instance of InsecureCredentials.

    public static onAppEngineFlexible()
     

    Determines if this an App Engine Flexible instance, by accessing the
    GAE_INSTANCE environment variable.

    • return bool true if this an App Engine Flexible Instance, false otherwise
    public static onGce(?callable $httpHandler = NULL)
     

    Determines if this a GCE instance, by accessing the expected metadata
    host.

    If $httpHandler is not specified a the default HttpHandler is used.

    • return bool True if this a GCEInstance, false otherwise
    public signBlob( $stringToSign, $forceOpenSsl = false)
     

    Sign a string using the default service account private key.

    This implementation uses IAM's signBlob API.

    • see https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/signBlobSignBlob
    • return string
    public Google\Auth\CredentialsLoader::updateMetadata( $metadata, $authUri = NULL, ?callable $httpHandler = NULL)
     

    Updates metadata with the authorization token.

    • return array updated metadata hashmap
    Properties
    protected $lastReceivedToken
     

    Result of fetchAuthToken.

    Properties
    private $clientName
     
    • var string|null
    private $hasCheckedOnGce
     

    Flag used to ensure that the onGCE test is only done once;.

    • var bool
    private $iam
     
    • var Iam|null
    private $isOnGce
     

    Flag that stores the value of the onGCE check.

    • var bool
    private $projectId
     
    • var string|null
    private $quotaProject
     
    • var string|null
    private $targetAudience
     
    • var string
    private $tokenUri
     
    • var string
    Methods
    private getFromMetadata(callable $httpHandler, $uri)
     

    Fetch the value of a GCE metadata server URI.

    • return string
    private static getProjectIdUri()
     

    The full uri for accessing the default project ID.

    • return string
    private static Google\Auth\CredentialsLoader::isOnWindows()
     
    • return bool
    private static Google\Auth\CredentialsLoader::unableToReadEnv( $cause)
     
    • return string
    Methods
    public static Google\Auth\CredentialsLoader::fromEnv()
     

    Load a JSON key from the path specified in the environment.

    Load a JSON key from the path specified in the environment
    variable GOOGLE_APPLICATION_CREDENTIALS. Return null if
    GOOGLE_APPLICATION_CREDENTIALS is not specified.

    • return array|null JSON key | null
    public static Google\Auth\CredentialsLoader::fromWellKnownFile()
     

    Load a JSON key from a well known path.

    The well known path is OS dependent:

    • windows: %APPDATA%/gcloud/application_default_credentials.json
    • others: $HOME/.config/gcloud/application_default_credentials.json

    If the file does not exist, this returns null.

    • return array|null JSON key | null
    public static getClientNameUri()
     

    The full uri for accessing the default service account.

    • return string
    private static getProjectIdUri()
     

    The full uri for accessing the default project ID.

    • return string
    public static getTokenUri()
     

    The full uri for accessing the default token.

    • return string
    private static Google\Auth\CredentialsLoader::isOnWindows()
     
    • return bool
    public static Google\Auth\CredentialsLoader::makeCredentials( $scope, array $jsonKey)
     

    Create a new Credentials instance.

    • return ServiceAccountCredentials|\UserRefreshCredentials
    public static Google\Auth\CredentialsLoader::makeHttpClient(Google\Auth\FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], ?callable $httpHandler = NULL, ?callable $tokenCallback = NULL)
     

    Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

    public static Google\Auth\CredentialsLoader::makeInsecureCredentials()
     

    Create a new instance of InsecureCredentials.

    public static onAppEngineFlexible()
     

    Determines if this an App Engine Flexible instance, by accessing the
    GAE_INSTANCE environment variable.

    • return bool true if this an App Engine Flexible Instance, false otherwise
    public static onGce(?callable $httpHandler = NULL)
     

    Determines if this a GCE instance, by accessing the expected metadata
    host.

    If $httpHandler is not specified a the default HttpHandler is used.

    • return bool True if this a GCEInstance, false otherwise
    private static Google\Auth\CredentialsLoader::unableToReadEnv( $cause)
     
    • return string
    © 2020 Bruce Wells
    Search Namespaces \ Classes
    ConfigurationNumbers (0-9.) only