oauth2client.service_account module

oauth2client Service account credentials class.

class oauth2client.service_account.ServiceAccountCredentials(service_account_email, signer, scopes='', private_key_id=None, client_id=None, user_agent=None, token_uri='https://www.googleapis.com/oauth2/v4/token', revoke_uri='https://accounts.google.com/o/oauth2/revoke', **kwargs)[source]

Bases: oauth2client.client.AssertionCredentials

Service Account credential for OAuth 2.0 signed JWT grants.

Supports

  • JSON keyfile (typically contains a PKCS8 key stored as PEM text)
  • .p12 key (stores PKCS12 key and certificate)

Makes an assertion to server using a signed JWT assertion in exchange for an access token.

This credential does not require a flow to instantiate because it represents a two legged flow, and therefore has all of the required information to generate and refresh its own access tokens.

Parameters:
  • service_account_email – string, The email associated with the service account.
  • signercrypt.Signer, A signer which can be used to sign content.
  • scopes – List or string, (Optional) Scopes to use when acquiring an access token.
  • private_key_id – string, (Optional) Private key identifier. Typically only used with a JSON keyfile. Can be sent in the header of a JWT token assertion.
  • client_id – string, (Optional) Client ID for the project that owns the service account.
  • user_agent – string, (Optional) User agent to use when sending request.
  • token_uri – string, URI for token endpoint. For convenience defaults to Google’s endpoints but any OAuth 2.0 provider can be used.
  • revoke_uri – string, URI for revoke endpoint. For convenience defaults to Google’s endpoints but any OAuth 2.0 provider can be used.
  • kwargs – dict, Extra key-value pairs (both strings) to send in the payload body when making an assertion.
MAX_TOKEN_LIFETIME_SECS = 3600

Max lifetime of the token (one hour, in seconds).

NON_SERIALIZED_MEMBERS = frozenset(['_private_key', 'store', '_signer'])

Members that aren’t serialized when object is converted to JSON.

create_delegated(sub)[source]

Create credentials that act as domain-wide delegation of authority.

Use the sub parameter as the subject to delegate on behalf of that user.

For example:

>>> account_sub = 'foo@email.com'
>>> delegate_creds = creds.create_delegated(account_sub)
Parameters:sub – string, An email address that this service account will act on behalf of (via domain-wide delegation).
Returns:ServiceAccountCredentials, a copy of the current service account updated to act on behalf of sub.
create_scoped(scopes)[source]

Create a Credentials object for the given scopes.

The Credentials type is preserved.

create_scoped_required()[source]

Whether this Credentials object is scopeless.

create_scoped(scopes) method needs to be called in order to create a Credentials object for API calls.

create_with_claims(claims)[source]

Create credentials that specify additional claims.

Parameters:claims – dict, key-value pairs for claims.
Returns:ServiceAccountCredentials, a copy of the current service account credentials with updated claims to use when obtaining access tokens.
classmethod from_json(json_data)[source]

Deserialize a JSON-serialized instance.

Inverse to to_json().

Parameters:json_data – dict or string, Serialized JSON (as a string or an already parsed dictionary) representing a credential.
Returns:ServiceAccountCredentials from the serialized data.
classmethod from_json_keyfile_dict(keyfile_dict, scopes='', token_uri=None, revoke_uri=None)[source]

Factory constructor from parsed JSON keyfile.

Parameters:
  • keyfile_dict – dict-like object, The parsed dictionary-like object containing the contents of the JSON keyfile.
  • scopes – List or string, (Optional) Scopes to use when acquiring an access token.
  • token_uri – string, URI for OAuth 2.0 provider token endpoint. If unset and not present in keyfile_dict, defaults to Google’s endpoints.
  • revoke_uri – string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in keyfile_dict, defaults to Google’s endpoints.
Returns:

ServiceAccountCredentials, a credentials object created from the keyfile.

Raises:
  • ValueError, if the credential type is not SERVICE_ACCOUNT.
  • KeyError, if one of the expected keys is not present in – the keyfile.
classmethod from_json_keyfile_name(filename, scopes='', token_uri=None, revoke_uri=None)[source]

Factory constructor from JSON keyfile by name.

Parameters:
  • filename – string, The location of the keyfile.
  • scopes – List or string, (Optional) Scopes to use when acquiring an access token.
  • token_uri – string, URI for OAuth 2.0 provider token endpoint. If unset and not present in the key file, defaults to Google’s endpoints.
  • revoke_uri – string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in the key file, defaults to Google’s endpoints.
Returns:

ServiceAccountCredentials, a credentials object created from the keyfile.

Raises:
  • ValueError, if the credential type is not SERVICE_ACCOUNT.
  • KeyError, if one of the expected keys is not present in – the keyfile.
classmethod from_p12_keyfile(service_account_email, filename, private_key_password=None, scopes='', token_uri='https://www.googleapis.com/oauth2/v4/token', revoke_uri='https://accounts.google.com/o/oauth2/revoke')[source]

Factory constructor from JSON keyfile.

Parameters:
  • service_account_email – string, The email associated with the service account.
  • filename – string, The location of the PKCS#12 keyfile.
  • private_key_password – string, (Optional) Password for PKCS#12 private key. Defaults to notasecret.
  • scopes – List or string, (Optional) Scopes to use when acquiring an access token.
  • token_uri – string, URI for token endpoint. For convenience defaults to Google’s endpoints but any OAuth 2.0 provider can be used.
  • revoke_uri – string, URI for revoke endpoint. For convenience defaults to Google’s endpoints but any OAuth 2.0 provider can be used.
Returns:

ServiceAccountCredentials, a credentials object created from the keyfile.

Raises:
  • NotImplementedError if pyOpenSSL is not installed / not the
  • active crypto library.
classmethod from_p12_keyfile_buffer(service_account_email, file_buffer, private_key_password=None, scopes='', token_uri='https://www.googleapis.com/oauth2/v4/token', revoke_uri='https://accounts.google.com/o/oauth2/revoke')[source]

Factory constructor from JSON keyfile.

Parameters:
  • service_account_email – string, The email associated with the service account.
  • file_buffer – stream, A buffer that implements read() and contains the PKCS#12 key contents.
  • private_key_password – string, (Optional) Password for PKCS#12 private key. Defaults to notasecret.
  • scopes – List or string, (Optional) Scopes to use when acquiring an access token.
  • token_uri – string, URI for token endpoint. For convenience defaults to Google’s endpoints but any OAuth 2.0 provider can be used.
  • revoke_uri – string, URI for revoke endpoint. For convenience defaults to Google’s endpoints but any OAuth 2.0 provider can be used.
Returns:

ServiceAccountCredentials, a credentials object created from the keyfile.

Raises:
  • NotImplementedError if pyOpenSSL is not installed / not the
  • active crypto library.
serialization_data
service_account_email

Get the email for the current service account.

Returns:string, The email associated with the service account.
sign_blob(blob)[source]

Cryptographically sign a blob (of bytes).

Implements abstract method oauth2client.client.AssertionCredentials.sign_blob().

Parameters:blob – bytes, Message to be signed.
Returns:tuple, A pair of the private key ID used to sign the blob and the signed contents.