oauth2client.service_account module¶
oauth2client Service account credentials class.
-
class
oauth2client.service_account.
ServiceAccountCredentials
(service_account_email, signer, scopes='', private_key_id=None, client_id=None, user_agent=None, token_uri='https://oauth2.googleapis.com/token', revoke_uri='https://oauth2.googleapis.com/revoke', **kwargs)[source]¶ Bases:
oauth2client.client.AssertionCredentials
Service Account credential for OAuth 2.0 signed JWT grants.
Supports
- JSON keyfile (typically contains a PKCS8 key stored as PEM text)
.p12
key (stores PKCS12 key and certificate)
Makes an assertion to server using a signed JWT assertion in exchange for an access token.
This credential does not require a flow to instantiate because it represents a two legged flow, and therefore has all of the required information to generate and refresh its own access tokens.
Parameters: - service_account_email – string, The email associated with the service account.
- signer –
crypt.Signer
, A signer which can be used to sign content. - scopes – List or string, (Optional) Scopes to use when acquiring an access token.
- private_key_id – string, (Optional) Private key identifier. Typically only used with a JSON keyfile. Can be sent in the header of a JWT token assertion.
- client_id – string, (Optional) Client ID for the project that owns the service account.
- user_agent – string, (Optional) User agent to use when sending request.
- token_uri – string, URI for token endpoint. For convenience defaults to Google’s endpoints but any OAuth 2.0 provider can be used.
- revoke_uri – string, URI for revoke endpoint. For convenience defaults to Google’s endpoints but any OAuth 2.0 provider can be used.
- kwargs – dict, Extra key-value pairs (both strings) to send in the payload body when making an assertion.
-
MAX_TOKEN_LIFETIME_SECS
= 3600¶ Max lifetime of the token (one hour, in seconds).
-
NON_SERIALIZED_MEMBERS
= frozenset(['_private_key', 'store', '_signer'])¶ Members that aren’t serialized when object is converted to JSON.
-
create_delegated
(sub)[source]¶ Create credentials that act as domain-wide delegation of authority.
Use the
sub
parameter as the subject to delegate on behalf of that user.For example:
>>> account_sub = 'foo@email.com' >>> delegate_creds = creds.create_delegated(account_sub)
Parameters: sub – string, An email address that this service account will act on behalf of (via domain-wide delegation). Returns: ServiceAccountCredentials, a copy of the current service account updated to act on behalf of sub
.
-
create_scoped
(scopes)[source]¶ Create a Credentials object for the given scopes.
The Credentials type is preserved.
-
create_scoped_required
()[source]¶ Whether this Credentials object is scopeless.
create_scoped(scopes) method needs to be called in order to create a Credentials object for API calls.
-
create_with_claims
(claims)[source]¶ Create credentials that specify additional claims.
Parameters: claims – dict, key-value pairs for claims. Returns: ServiceAccountCredentials, a copy of the current service account credentials with updated claims to use when obtaining access tokens.
-
classmethod
from_json
(json_data)[source]¶ Deserialize a JSON-serialized instance.
Inverse to
to_json()
.Parameters: json_data – dict or string, Serialized JSON (as a string or an already parsed dictionary) representing a credential. Returns: ServiceAccountCredentials from the serialized data.
-
classmethod
from_json_keyfile_dict
(keyfile_dict, scopes='', token_uri=None, revoke_uri=None)[source]¶ Factory constructor from parsed JSON keyfile.
Parameters: - keyfile_dict – dict-like object, The parsed dictionary-like object containing the contents of the JSON keyfile.
- scopes – List or string, (Optional) Scopes to use when acquiring an access token.
- token_uri – string, URI for OAuth 2.0 provider token endpoint. If unset and not present in keyfile_dict, defaults to Google’s endpoints.
- revoke_uri – string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in keyfile_dict, defaults to Google’s endpoints.
Returns: ServiceAccountCredentials, a credentials object created from the keyfile.
Raises: - ValueError, if the credential type is not
SERVICE_ACCOUNT
. - KeyError, if one of the expected keys is not present in – the keyfile.
-
classmethod
from_json_keyfile_name
(filename, scopes='', token_uri=None, revoke_uri=None)[source]¶ Factory constructor from JSON keyfile by name.
Parameters: - filename – string, The location of the keyfile.
- scopes – List or string, (Optional) Scopes to use when acquiring an access token.
- token_uri – string, URI for OAuth 2.0 provider token endpoint. If unset and not present in the key file, defaults to Google’s endpoints.
- revoke_uri – string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in the key file, defaults to Google’s endpoints.
Returns: ServiceAccountCredentials, a credentials object created from the keyfile.
Raises: - ValueError, if the credential type is not
SERVICE_ACCOUNT
. - KeyError, if one of the expected keys is not present in – the keyfile.
-
classmethod
from_p12_keyfile
(service_account_email, filename, private_key_password=None, scopes='', token_uri='https://oauth2.googleapis.com/token', revoke_uri='https://oauth2.googleapis.com/revoke')[source]¶ Factory constructor from JSON keyfile.
Parameters: - service_account_email – string, The email associated with the service account.
- filename – string, The location of the PKCS#12 keyfile.
- private_key_password – string, (Optional) Password for PKCS#12
private key. Defaults to
notasecret
. - scopes – List or string, (Optional) Scopes to use when acquiring an access token.
- token_uri – string, URI for token endpoint. For convenience defaults to Google’s endpoints but any OAuth 2.0 provider can be used.
- revoke_uri – string, URI for revoke endpoint. For convenience defaults to Google’s endpoints but any OAuth 2.0 provider can be used.
Returns: ServiceAccountCredentials, a credentials object created from the keyfile.
Raises: - NotImplementedError if pyOpenSSL is not installed / not the
- active crypto library.
-
classmethod
from_p12_keyfile_buffer
(service_account_email, file_buffer, private_key_password=None, scopes='', token_uri='https://oauth2.googleapis.com/token', revoke_uri='https://oauth2.googleapis.com/revoke')[source]¶ Factory constructor from JSON keyfile.
Parameters: - service_account_email – string, The email associated with the service account.
- file_buffer – stream, A buffer that implements
read()
and contains the PKCS#12 key contents. - private_key_password – string, (Optional) Password for PKCS#12
private key. Defaults to
notasecret
. - scopes – List or string, (Optional) Scopes to use when acquiring an access token.
- token_uri – string, URI for token endpoint. For convenience defaults to Google’s endpoints but any OAuth 2.0 provider can be used.
- revoke_uri – string, URI for revoke endpoint. For convenience defaults to Google’s endpoints but any OAuth 2.0 provider can be used.
Returns: ServiceAccountCredentials, a credentials object created from the keyfile.
Raises: - NotImplementedError if pyOpenSSL is not installed / not the
- active crypto library.
-
serialization_data
¶
-
service_account_email
¶ Get the email for the current service account.
Returns: string, The email associated with the service account.
-
sign_blob
(blob)[source]¶ Cryptographically sign a blob (of bytes).
Implements abstract method
oauth2client.client.AssertionCredentials.sign_blob()
.Parameters: blob – bytes, Message to be signed. Returns: tuple, A pair of the private key ID used to sign the blob and the signed contents.