GCECredentials supports authorization on Google Compute Engine.

It can be used to authorize requests using the AuthTokenMiddleware, but will
only succeed if being run on GCE:

use Google\Auth\Credentials\GCECredentials;
use Google\Auth\Middleware\AuthTokenMiddleware;
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;

$gce = new GCECredentials();
$middleware = new AuthTokenMiddleware($gce);
$stack = HandlerStack::create();
$stack->push($middleware);

$client = new Client([

 'handler' => $stack,
 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/',
 'auth' => 'google_auth'

]);

$res = $client->get('myproject/taskqueues/myqueue');

CloneableInstantiable
ExtendsGoogle\Auth\CredentialsLoader
ImplementsGoogle\Auth\FetchAuthTokenInterface
Google\Auth\ProjectIdProviderInterface
Google\Auth\SignBlobInterface
Constants
public Google\Auth\CredentialsLoader::AUTH_METADATA_KEY = 'authorization'
public Google\Auth\Credentials\GCECredentials::cacheKey = 'GOOGLE_AUTH_PHP_GCE'
public Google\Auth\Credentials\GCECredentials::CLIENT_ID_URI_PATH = 'v1/instance/service-accounts/default/email'
 
The metadata path of the client ID.

public Google\Auth\Credentials\GCECredentials::COMPUTE_PING_CONNECTION_TIMEOUT_S = 0.5
public Google\Auth\CredentialsLoader::ENV_VAR = 'GOOGLE_APPLICATION_CREDENTIALS'
public Google\Auth\Credentials\GCECredentials::FLAVOR_HEADER = 'Metadata-Flavor'
 
The header whose presence indicates GCE presence.

public Google\Auth\Credentials\GCECredentials::ID_TOKEN_URI_PATH = 'v1/instance/service-accounts/default/identity'
 
The metadata path of the default id token.

public Google\Auth\Credentials\GCECredentials::MAX_COMPUTE_PING_TRIES = 3
 
Note: the explicit `timeout` and `tries` below is a workaround. The underlying issue is that resolving an unknown host on some networks will take 20-30 seconds; making this timeout short fixes the issue, but could lead to false negatives in the event that we are on GCE, but the metadata resolution was particularly slow. The latter case is "unlikely" since the expected 4-nines time is about 0.5 seconds.

This allows us to limit the total ping maximum timeout to 1.5 seconds
for developer desktop scenarios.

public Google\Auth\Credentials\GCECredentials::METADATA_IP = '169.254.169.254'
 
The metadata IP address on appengine instances.

The IP is used instead of the domain 'metadata' to avoid slow responses
when not on Compute Engine.

public Google\Auth\CredentialsLoader::NON_WINDOWS_WELL_KNOWN_PATH_BASE = '.config'
public Google\Auth\Credentials\GCECredentials::PROJECT_ID_URI_PATH = 'v1/project/project-id'
 
The metadata path of the project ID.

public Google\Auth\CredentialsLoader::TOKEN_CREDENTIAL_URI = 'https://oauth2.googleapis.com/token'
public Google\Auth\Credentials\GCECredentials::TOKEN_URI_PATH = 'v1/instance/service-accounts/default/token'
 
The metadata path of the default token.

public Google\Auth\CredentialsLoader::WELL_KNOWN_PATH = 'gcloud/application_default_credentials.json'
Methods
public __construct(?Google\Auth\Iam $iam = NULL, $scope = NULL, $targetAudience = NULL)
 


    public fetchAuthToken(?callable $httpHandler = NULL)
     
    Implements FetchAuthTokenInterface#fetchAuthToken.

    Fetches the auth tokens from the GCE metadata host if it is available.
    If $httpHandler is not specified a the default HttpHandler is used.

    • return array A set of auth related metadata, based on the token type. Access tokens have the following keys: - access_token (string) - expires_in (int) - token_type (string) ID tokens have the following keys: - id_token (string)
    • throws Exception
    public static Google\Auth\CredentialsLoader::fromEnv()
     
    Load a JSON key from the path specified in the environment.

    Load a JSON key from the path specified in the environment
    variable GOOGLE_APPLICATION_CREDENTIALS. Return null if
    GOOGLE_APPLICATION_CREDENTIALS is not specified.

    • return array JSON key | null
    public static Google\Auth\CredentialsLoader::fromWellKnownFile()
     
    Load a JSON key from a well known path.

    The well known path is OS dependent:

    • windows: %APPDATA%/gcloud/application_default_credentials.json
    • others: $HOME/.config/gcloud/application_default_credentials.json

    If the file does not exists, this returns null.

    • return array JSON key | null
    public getCacheKey()
     


    • return string
    public getClientName(?callable $httpHandler = NULL)
     
    Get the client name from GCE metadata.

    Subsequent calls will return a cached value.

    • return string
    public static getClientNameUri()
     
    The full uri for accessing the default service account.

    • return string
    public getLastReceivedToken()
     


    • return array|null
    public getProjectId(?callable $httpHandler = NULL)
     
    Fetch the default Project ID from compute engine.

    Returns null if called outside GCE.

    • return string|null
    public static getTokenUri()
     
    The full uri for accessing the default token.

    • return string
    public Google\Auth\CredentialsLoader::getUpdateMetadataFunc()
     
    export a callback function which updates runtime metadata.

    • return array updateMetadata function
    public static Google\Auth\CredentialsLoader::makeCredentials( $scope, array $jsonKey)
     
    Create a new Credentials instance.

    • return ServiceAccountCredentials|\UserRefreshCredentials
    public static Google\Auth\CredentialsLoader::makeHttpClient(Google\Auth\FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], ?callable $httpHandler = NULL, ?callable $tokenCallback = NULL)
     
    Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

    public static Google\Auth\CredentialsLoader::makeInsecureCredentials()
     
    Create a new instance of InsecureCredentials.

    public static onAppEngineFlexible()
     
    Determines if this an App Engine Flexible instance, by accessing the GAE_INSTANCE environment variable.

    • return bool if this an App Engine Flexible Instance, false otherwise
    public static onGce(?callable $httpHandler = NULL)
     
    Determines if this a GCE instance, by accessing the expected metadata host.

    If $httpHandler is not specified a the default HttpHandler is used.

    • return bool True if this a GCEInstance, false otherwise
    public signBlob( $stringToSign, $forceOpenSsl = false)
     
    Sign a string using the default service account private key.

    This implementation uses IAM's signBlob API.

    • see https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/signBlobSignBlob
    • return string
    public Google\Auth\CredentialsLoader::updateMetadata( $metadata, $authUri = NULL, ?callable $httpHandler = NULL)
     
    Updates metadata with the authorization token.

    • return array updated metadata hashmap
    Properties
    protected $lastReceivedToken
     
    Result of fetchAuthToken.

    Properties
    private $clientName
     


    • var string|null
    private $hasCheckedOnGce
     
    Flag used to ensure that the onGCE test is only done once;.

    • var bool
    private $iam
     


    • var Iam|null
    private $isOnGce
     
    Flag that stores the value of the onGCE check.

    • var bool
    private $projectId
     


    • var string|null
    private $targetAudience
     


    • var string
    private $tokenUri
     


    • var string
    Methods
    private getFromMetadata(callable $httpHandler, $uri)
     
    Fetch the value of a GCE metadata server URI.

    • return string
    private static getProjectIdUri()
     
    The full uri for accessing the default project ID.

    • return string
    private static Google\Auth\CredentialsLoader::isOnWindows()
     


    • return bool
    private static Google\Auth\CredentialsLoader::unableToReadEnv( $cause)
     


    • return string
    Methods
    public static Google\Auth\CredentialsLoader::fromEnv()
     
    Load a JSON key from the path specified in the environment.

    Load a JSON key from the path specified in the environment
    variable GOOGLE_APPLICATION_CREDENTIALS. Return null if
    GOOGLE_APPLICATION_CREDENTIALS is not specified.

    • return array JSON key | null
    public static Google\Auth\CredentialsLoader::fromWellKnownFile()
     
    Load a JSON key from a well known path.

    The well known path is OS dependent:

    • windows: %APPDATA%/gcloud/application_default_credentials.json
    • others: $HOME/.config/gcloud/application_default_credentials.json

    If the file does not exists, this returns null.

    • return array JSON key | null
    public static getClientNameUri()
     
    The full uri for accessing the default service account.

    • return string
    private static getProjectIdUri()
     
    The full uri for accessing the default project ID.

    • return string
    public static getTokenUri()
     
    The full uri for accessing the default token.

    • return string
    private static Google\Auth\CredentialsLoader::isOnWindows()
     


    • return bool
    public static Google\Auth\CredentialsLoader::makeCredentials( $scope, array $jsonKey)
     
    Create a new Credentials instance.

    • return ServiceAccountCredentials|\UserRefreshCredentials
    public static Google\Auth\CredentialsLoader::makeHttpClient(Google\Auth\FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], ?callable $httpHandler = NULL, ?callable $tokenCallback = NULL)
     
    Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

    public static Google\Auth\CredentialsLoader::makeInsecureCredentials()
     
    Create a new instance of InsecureCredentials.

    public static onAppEngineFlexible()
     
    Determines if this an App Engine Flexible instance, by accessing the GAE_INSTANCE environment variable.

    • return bool if this an App Engine Flexible Instance, false otherwise
    public static onGce(?callable $httpHandler = NULL)
     
    Determines if this a GCE instance, by accessing the expected metadata host.

    If $httpHandler is not specified a the default HttpHandler is used.

    • return bool True if this a GCEInstance, false otherwise
    private static Google\Auth\CredentialsLoader::unableToReadEnv( $cause)
     


    • return string
    © 2020 Bruce Wells
    Search Namespaces \ Classes
    ConfigurationNumbers (0-9.) only