generateAccessToken(name, body, x__xgafv=None)
Generates an OAuth 2.0 access token for a service account.
generateIdToken(name, body, x__xgafv=None)
Generates an OpenID Connect ID token for a service account.
generateIdentityBindingAccessToken(name, body, x__xgafv=None)
signBlob(name, body, x__xgafv=None)
Signs a blob using a service account's system-managed private key.
signJwt(name, body, x__xgafv=None)
Signs a JWT using a service account's system-managed private key.
generateAccessToken(name, body, x__xgafv=None)
Generates an OAuth 2.0 access token for a service account.
Args:
name: string, The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
body: object, The request body. (required)
The object takes the form of:
{
"lifetime": "A String", # The desired lifetime duration of the access token in seconds.
# Must be set to a value less than or equal to 3600 (1 hour). If a value is
# not specified, the token's lifetime will be set to a default value of one
# hour.
"delegates": [ # The sequence of service accounts in a delegation chain. Each service
# account must be granted the `roles/iam.serviceAccountTokenCreator` role
# on its next service account in the chain. The last service account in the
# chain must be granted the `roles/iam.serviceAccountTokenCreator` role
# on the service account that is specified in the `name` field of the
# request.
#
# The delegates must have the following format:
# `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
# character is required; replacing it with a project ID is invalid.
"A String",
],
"scope": [ # Code to identify the scopes to be included in the OAuth 2.0 access token.
# See https://developers.google.com/identity/protocols/googlescopes for more
# information.
# At least one value required.
"A String",
],
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{
"expireTime": "A String", # Token expiration time.
# The expiration time is always set.
"accessToken": "A String", # The OAuth 2.0 access token.
}
generateIdToken(name, body, x__xgafv=None)
Generates an OpenID Connect ID token for a service account.
Args:
name: string, The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
body: object, The request body. (required)
The object takes the form of:
{
"includeEmail": True or False, # Include the service account email in the token. If set to `true`, the
# token will contain `email` and `email_verified` claims.
"audience": "A String", # The audience for the token, such as the API or account that this token
# grants access to.
"delegates": [ # The sequence of service accounts in a delegation chain. Each service
# account must be granted the `roles/iam.serviceAccountTokenCreator` role
# on its next service account in the chain. The last service account in the
# chain must be granted the `roles/iam.serviceAccountTokenCreator` role
# on the service account that is specified in the `name` field of the
# request.
#
# The delegates must have the following format:
# `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
# character is required; replacing it with a project ID is invalid.
"A String",
],
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{
"token": "A String", # The OpenId Connect ID token.
}
generateIdentityBindingAccessToken(name, body, x__xgafv=None)
Args:
name: string, The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
body: object, The request body. (required)
The object takes the form of:
{
"scope": [ # Code to identify the scopes to be included in the OAuth 2.0 access token.
# See https://developers.google.com/identity/protocols/googlescopes for more
# information.
# At least one value required.
"A String",
],
"jwt": "A String", # Required. Input token.
# Must be in JWT format according to
# RFC7523 (https://tools.ietf.org/html/rfc7523)
# and must have 'kid' field in the header.
# Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
# Mandatory payload fields (along the lines of RFC 7523, section 3):
# - iss: issuer of the token. Must provide a discovery document at
# $iss/.well-known/openid-configuration . The document needs to be
# formatted according to section 4.2 of the OpenID Connect Discovery
# 1.0 specification.
# - iat: Issue time in seconds since epoch. Must be in the past.
# - exp: Expiration time in seconds since epoch. Must be less than 48 hours
# after iat. We recommend to create tokens that last shorter than 6
# hours to improve security unless business reasons mandate longer
# expiration times. Shorter token lifetimes are generally more secure
# since tokens that have been exfiltrated by attackers can be used for
# a shorter time. you can configure the maximum lifetime of the
# incoming token in the configuration of the mapper.
# The resulting Google token will expire within an hour or at "exp",
# whichever is earlier.
# - sub: JWT subject, identity asserted in the JWT.
# - aud: Configured in the mapper policy. By default the service account
# email.
#
# Claims from the incoming token can be transferred into the output token
# accoding to the mapper configuration. The outgoing claim size is limited.
# Outgoing claims size must be less than 4kB serialized as JSON without
# whitespace.
#
# Example header:
# {
# "alg": "RS256",
# "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
# }
# Example payload:
# {
# "iss": "https://accounts.google.com",
# "iat": 1517963104,
# "exp": 1517966704,
# "aud":
# "https://iamcredentials.googleapis.com/google.iam.credentials.v1.CloudGaia",
# "sub": "113475438248934895348",
# "my_claims": {
# "additional_claim": "value"
# }
# }
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{
"expireTime": "A String", # Token expiration time.
# The expiration time is always set.
"accessToken": "A String", # The OAuth 2.0 access token.
}
signBlob(name, body, x__xgafv=None)
Signs a blob using a service account's system-managed private key.
Args:
name: string, The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
body: object, The request body. (required)
The object takes the form of:
{
"payload": "A String", # The bytes to sign.
"delegates": [ # The sequence of service accounts in a delegation chain. Each service
# account must be granted the `roles/iam.serviceAccountTokenCreator` role
# on its next service account in the chain. The last service account in the
# chain must be granted the `roles/iam.serviceAccountTokenCreator` role
# on the service account that is specified in the `name` field of the
# request.
#
# The delegates must have the following format:
# `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
# character is required; replacing it with a project ID is invalid.
"A String",
],
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{
"signedBlob": "A String", # The signed blob.
"keyId": "A String", # The ID of the key used to sign the blob.
}
signJwt(name, body, x__xgafv=None)
Signs a JWT using a service account's system-managed private key.
Args:
name: string, The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
body: object, The request body. (required)
The object takes the form of:
{
"payload": "A String", # The JWT payload to sign: a JSON object that contains a JWT Claims Set.
"delegates": [ # The sequence of service accounts in a delegation chain. Each service
# account must be granted the `roles/iam.serviceAccountTokenCreator` role
# on its next service account in the chain. The last service account in the
# chain must be granted the `roles/iam.serviceAccountTokenCreator` role
# on the service account that is specified in the `name` field of the
# request.
#
# The delegates must have the following format:
# `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
# character is required; replacing it with a project ID is invalid.
"A String",
],
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{
"keyId": "A String", # The ID of the key used to sign the JWT.
"signedJwt": "A String", # The signed JWT.
}