google.auth.credentials module¶

Interfaces for credentials.

class Credentials[source]¶

Bases: google.auth._credentials_base._BaseCredentials

Base class for all credentials.

All credentials have a token that is used for authentication and may also optionally set an expiry to indicate when the token will no longer be valid.

Most credentials will be invalid until refresh() is called. Credentials can do this automatically before the first HTTP request in before_request().

Although the token and expiration will change as the credentials are refreshed and used, credentials should be considered immutable. Various credentials will accept configuration such as private keys, scopes, and other options. These options are not changeable after construction. Some classes will provide mechanisms to copy the credentials with modifications such as ScopedCredentials.with_scopes().

expiry¶

When the token expires and is no longer valid. If this is None, the token is assumed to never expire.

Type

Optionaldatetime

property expired¶

Checks if the credentials are expired.

Note that credentials can be invalid but not expired because Credentials with expiry set to None is considered to never expire.

Deprecated since version v2.24.0: Prefer checking token_state instead.

property valid¶

Checks the validity of the credentials.

This is True if the credentials have a token and the token is not expired.

Deprecated since version v2.24.0: Prefer checking token_state instead.

property token_state¶

See :obj:`TokenState

property quota_project_id¶

Project to use for quota and billing purposes.

property universe_domain¶

The universe domain value.

get_cred_info()[source]¶

The credential information JSON.

The credential information will be added to auth related error messages by client library.

Returns

The credential information JSON.

Return type

Mappingstr, str

abstract refresh(request)[source]¶

Refreshes the access token.

Parameters

request (google.auth.transport.Request) – The object used to make HTTP requests.

Raises

google.auth.exceptions.RefreshError – If the credentials could not be refreshed.

apply(headers, token=None)[source]¶

Apply the token to the authentication header.

Parameters

• headers (Mapping) – The HTTP request headers.

• token (Optionalstr) – If specified, overrides the current access token.

before_request(request, method, url, headers)[source]¶

Performs credential-specific before request logic.

Refreshes the credentials if necessary, then calls apply() to apply the token to the authentication header.

Parameters

• request (google.auth.transport.Request) – The object used to make HTTP requests.

• method (str) – The request’s HTTP method or the RPC method being invoked.

• url (str) – The request’s URI or the RPC service’s URI.

• headers (Mapping) – The request’s headers.

class CredentialsWithQuotaProject[source]¶

Bases: google.auth.credentials.Credentials

Abstract base for credentials supporting with_quota_project factory

with_quota_project(quota_project_id)[source]¶

Returns a copy of these credentials with a modified quota project.

Parameters

quota_project_id (str) – The project to use for quota and billing purposes

Returns

A new credentials instance.

Return type

google.auth.credentials.Credentials

apply(headers, token=None)¶

Apply the token to the authentication header.

Parameters

• headers (Mapping) – The HTTP request headers.

• token (Optionalstr) – If specified, overrides the current access token.

before_request(request, method, url, headers)¶

Performs credential-specific before request logic.

Refreshes the credentials if necessary, then calls apply() to apply the token to the authentication header.

Parameters

• request (google.auth.transport.Request) – The object used to make HTTP requests.

• method (str) – The request’s HTTP method or the RPC method being invoked.

• url (str) – The request’s URI or the RPC service’s URI.

• headers (Mapping) – The request’s headers.

property expired¶

Checks if the credentials are expired.

Note that credentials can be invalid but not expired because Credentials with expiry set to None is considered to never expire.

Deprecated since version v2.24.0: Prefer checking token_state instead.

get_cred_info()¶

The credential information JSON.

The credential information will be added to auth related error messages by client library.

Returns

The credential information JSON.

Return type

Mappingstr, str

property quota_project_id¶

Project to use for quota and billing purposes.

abstract refresh(request)¶

Refreshes the access token.

Parameters

request (google.auth.transport.Request) – The object used to make HTTP requests.

Raises

google.auth.exceptions.RefreshError – If the credentials could not be refreshed.

property token_state¶

See :obj:`TokenState

property universe_domain¶

The universe domain value.

property valid¶

Checks the validity of the credentials.

This is True if the credentials have a token and the token is not expired.

Deprecated since version v2.24.0: Prefer checking token_state instead.

expiry¶

When the token expires and is no longer valid. If this is None, the token is assumed to never expire.

Type

Optionaldatetime

class CredentialsWithTokenUri[source]¶

Bases: google.auth.credentials.Credentials

Abstract base for credentials supporting with_token_uri factory

with_token_uri(token_uri)[source]¶

Returns a copy of these credentials with a modified token uri.

Parameters

token_uri (str) – The uri to use for fetching/exchanging tokens

Returns

A new credentials instance.

Return type

google.auth.credentials.Credentials

apply(headers, token=None)¶

Apply the token to the authentication header.

Parameters

• headers (Mapping) – The HTTP request headers.

• token (Optionalstr) – If specified, overrides the current access token.

before_request(request, method, url, headers)¶

Performs credential-specific before request logic.

Refreshes the credentials if necessary, then calls apply() to apply the token to the authentication header.

Parameters

• request (google.auth.transport.Request) – The object used to make HTTP requests.

• method (str) – The request’s HTTP method or the RPC method being invoked.

• url (str) – The request’s URI or the RPC service’s URI.

• headers (Mapping) – The request’s headers.

property expired¶

Checks if the credentials are expired.

Note that credentials can be invalid but not expired because Credentials with expiry set to None is considered to never expire.

Deprecated since version v2.24.0: Prefer checking token_state instead.

get_cred_info()¶

The credential information JSON.

The credential information will be added to auth related error messages by client library.

Returns

The credential information JSON.

Return type

Mappingstr, str

property quota_project_id¶

Project to use for quota and billing purposes.

abstract refresh(request)¶

Refreshes the access token.

Parameters

request (google.auth.transport.Request) – The object used to make HTTP requests.

Raises

google.auth.exceptions.RefreshError – If the credentials could not be refreshed.

property token_state¶

See :obj:`TokenState

property universe_domain¶

The universe domain value.

property valid¶

Checks the validity of the credentials.

This is True if the credentials have a token and the token is not expired.

Deprecated since version v2.24.0: Prefer checking token_state instead.

expiry¶

When the token expires and is no longer valid. If this is None, the token is assumed to never expire.

Type

Optionaldatetime

class CredentialsWithUniverseDomain[source]¶

Bases: google.auth.credentials.Credentials

Abstract base for credentials supporting with_universe_domain factory

with_universe_domain(universe_domain)[source]¶

Returns a copy of these credentials with a modified universe domain.

Parameters

universe_domain (str) – The universe domain to use

Returns

A new credentials instance.

Return type

google.auth.credentials.Credentials

apply(headers, token=None)¶

Apply the token to the authentication header.

Parameters

• headers (Mapping) – The HTTP request headers.

• token (Optionalstr) – If specified, overrides the current access token.

before_request(request, method, url, headers)¶

Performs credential-specific before request logic.

Refreshes the credentials if necessary, then calls apply() to apply the token to the authentication header.

Parameters

• request (google.auth.transport.Request) – The object used to make HTTP requests.

• method (str) – The request’s HTTP method or the RPC method being invoked.

• url (str) – The request’s URI or the RPC service’s URI.

• headers (Mapping) – The request’s headers.

property expired¶

Checks if the credentials are expired.

Note that credentials can be invalid but not expired because Credentials with expiry set to None is considered to never expire.

Deprecated since version v2.24.0: Prefer checking token_state instead.

get_cred_info()¶

The credential information JSON.

The credential information will be added to auth related error messages by client library.

Returns

The credential information JSON.

Return type

Mappingstr, str

property quota_project_id¶

Project to use for quota and billing purposes.

abstract refresh(request)¶

Refreshes the access token.

Parameters

request (google.auth.transport.Request) – The object used to make HTTP requests.

Raises

google.auth.exceptions.RefreshError – If the credentials could not be refreshed.

property token_state¶

See :obj:`TokenState

property universe_domain¶

The universe domain value.

property valid¶

Checks the validity of the credentials.

This is True if the credentials have a token and the token is not expired.

Deprecated since version v2.24.0: Prefer checking token_state instead.

expiry¶

When the token expires and is no longer valid. If this is None, the token is assumed to never expire.

Type

Optionaldatetime

class AnonymousCredentials[source]¶

Bases: google.auth.credentials.Credentials

Credentials that do not provide any authentication information.

These are useful in the case of services that support anonymous access or local service emulators that do not use credentials.

property expired¶

Returns False, anonymous credentials never expire.

property valid¶

Returns True, anonymous credentials are always valid.

refresh(request)[source]¶

Raises :class:InvalidOperation, anonymous credentials cannot be refreshed.

apply(headers, token=None)[source]¶

Anonymous credentials do nothing to the request.

The optional token argument is not supported.

Raises

google.auth.exceptions.InvalidValue – If a token was specified.

before_request(request, method, url, headers)[source]¶

Anonymous credentials do nothing to the request.

get_cred_info()¶

The credential information JSON.

The credential information will be added to auth related error messages by client library.

Returns

The credential information JSON.

Return type

Mappingstr, str

property quota_project_id¶

Project to use for quota and billing purposes.

property token_state¶

See :obj:`TokenState

property universe_domain¶

The universe domain value.

expiry¶

When the token expires and is no longer valid. If this is None, the token is assumed to never expire.

Type

Optionaldatetime

class ReadOnlyScoped[source]¶

Bases: object

Interface for credentials whose scopes can be queried.

OAuth 2.0-based credentials allow limiting access using scopes as described in RFC6749 Section 3.3. If a credential class implements this interface then the credentials either use scopes in their implementation.

Some credentials require scopes in order to obtain a token. You can check if scoping is necessary with requires_scopes:

if credentials.requires_scopes:
    # Scoping is required.
    credentials = credentials.with_scopes(scopes=['one', 'two'])

Credentials that require scopes must either be constructed with scopes:

credentials = SomeScopedCredentials(scopes=['one', 'two'])

Or must copy an existing instance using with_scopes():

scoped_credentials = credentials.with_scopes(scopes=['one', 'two'])

Some credentials have scopes but do not allow or require scopes to be set, these credentials can be used as-is.

property scopes¶

the credentials’ current set of scopes.

Type

Sequencestr

property default_scopes¶

the credentials’ current set of default scopes.

Type

Sequencestr

abstract property requires_scopes¶

True if these credentials require scopes to obtain an access token.

has_scopes(scopes)[source]¶

Checks if the credentials have the given scopes.

Parameters

scopes (Sequencestr) – The list of scopes to check.

Returns

True if the credentials have the given scopes.

Return type

bool

class Scoped[source]¶

Bases: google.auth.credentials.ReadOnlyScoped

Interface for credentials whose scopes can be replaced while copying.

OAuth 2.0-based credentials allow limiting access using scopes as described in RFC6749 Section 3.3. If a credential class implements this interface then the credentials either use scopes in their implementation.

Some credentials require scopes in order to obtain a token. You can check if scoping is necessary with requires_scopes:

if credentials.requires_scopes:
    # Scoping is required.
    credentials = credentials.create_scoped(['one', 'two'])

Credentials that require scopes must either be constructed with scopes:

credentials = SomeScopedCredentials(scopes=['one', 'two'])

Or must copy an existing instance using with_scopes():

scoped_credentials = credentials.with_scopes(scopes=['one', 'two'])

Some credentials have scopes but do not allow or require scopes to be set, these credentials can be used as-is.

abstract with_scopes(scopes, default_scopes=None)[source]¶

Create a copy of these credentials with the specified scopes.

Parameters

scopes (Sequencestr) – The list of scopes to attach to the current credentials.

Raises

NotImplementedError – If the credentials’ scopes can not be changed. This can be avoided by checking requires_scopes before calling this method.

property default_scopes¶

the credentials’ current set of default scopes.

Type

Sequencestr

has_scopes(scopes)¶

Checks if the credentials have the given scopes.

Parameters

scopes (Sequencestr) – The list of scopes to check.

Returns

True if the credentials have the given scopes.

Return type

bool

abstract property requires_scopes¶

True if these credentials require scopes to obtain an access token.

property scopes¶

the credentials’ current set of scopes.

Type

Sequencestr

with_scopes_if_required(credentials, scopes, default_scopes=None)[source]¶

Creates a copy of the credentials with scopes if scoping is required.

This helper function is useful when you do not know (or care to know) the specific type of credentials you are using (such as when you use google.auth.default()). This function will call Scoped.with_scopes() if the credentials are scoped credentials and if the credentials require scoping. Otherwise, it will return the credentials as-is.

Parameters

• credentials (google.auth.credentials.Credentials) – The credentials to scope if necessary.

• scopes (Sequencestr) – The list of scopes to use.

• default_scopes (Sequencestr) – Default scopes passed by a Google client library. Use ‘scopes’ for user-defined scopes.

Returns

Either a new set of scoped

credentials, or the passed in credentials instance if no scoping was required.

Return type

google.auth.credentials.Credentials

class Signing[source]¶

Bases: object

Interface for credentials that can cryptographically sign messages.

abstract sign_bytes(message)[source]¶

Signs the given message.

Parameters

message (bytes) – The message to sign.

Returns

The message’s cryptographic signature.

Return type

bytes

abstract property signer_email¶

An email address that identifies the signer.

Type

Optionalstr

abstract property signer¶

The signer used to sign bytes.

Type

google.auth.crypt.Signer

class TokenState(value)[source]¶

Bases: enum.Enum

Tracks the state of a token. FRESH: The token is valid. It is not expired or close to expired, or the token has no expiry. STALE: The token is close to expired, and should be refreshed. The token can be used normally. INVALID: The token is expired or invalid. The token cannot be used for a normal operation.