Google Cloud Iam Credentials V1 Client - Class IAMCredentialsClient (1.1.2)

Reference documentation and code samples for the Google Cloud Iam Credentials V1 Client class IAMCredentialsClient.

Service Description: A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user.

Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.

Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.

This class provides the ability to make remote calls to the backing service through method calls that map to API methods. Sample code to get started:

$iAMCredentialsClient = new IAMCredentialsClient();
try {
    $formattedName = $iAMCredentialsClient->serviceAccountName('[PROJECT]', '[SERVICE_ACCOUNT]');
    $scope = [];
    $response = $iAMCredentialsClient->generateAccessToken($formattedName, $scope);
} finally {
    $iAMCredentialsClient->close();
}

Many parameters require resource names to be formatted in a particular way. To assist with these names, this class includes a format method for each type of name, and additionally a parseName method to extract the individual identifiers contained within formatted names that are returned by the API.

This service has a new (beta) implementation. See Google\Cloud\Iam\Credentials\V1\Client\IAMCredentialsClient to use the new surface.

Namespace

Google \ Cloud \ Iam \ Credentials \ V1

Methods

__construct

Constructor.

Parameters
NameDescription
options array

Optional. Options for configuring the service API wrapper.

↳ apiEndpoint string

The address of the API remote host. May optionally include the port, formatted as "

↳ credentials string|array|FetchAuthTokenInterface|CredentialsWrapper

The credentials to be used by the client to authorize API calls. This option accepts either a path to a credentials file, or a decoded credentials file as a PHP array. Advanced usage: In addition, this option can also accept a pre-constructed Google\Auth\FetchAuthTokenInterface object or Google\ApiCore\CredentialsWrapper object. Note that when one of these objects are provided, any settings in $credentialsConfig will be ignored.

↳ credentialsConfig array

Options used to configure credentials, including auth token caching, for the client. For a full list of supporting configuration options, see Google\ApiCore\CredentialsWrapper::build() .

↳ disableRetries bool

Determines whether or not retries defined by the client configuration should be disabled. Defaults to false.

↳ clientConfig string|array

Client method configuration, including retry settings. This option can be either a path to a JSON file, or a PHP array containing the decoded JSON data. By default this settings points to the default client config file, which is provided in the resources folder.

↳ transport string|TransportInterface

The transport used for executing network requests. May be either the string rest or grpc. Defaults to grpc if gRPC support is detected on the system. Advanced usage: Additionally, it is possible to pass in an already instantiated Google\ApiCore\Transport\TransportInterface object. Note that when this object is provided, any settings in $transportConfig, and any $apiEndpoint setting, will be ignored.

↳ transportConfig array

Configuration options that will be used to construct the transport. Options for each supported transport type should be passed in a key for that transport. For example: $transportConfig = [ 'grpc' => [...], 'rest' => [...], ]; See the Google\ApiCore\Transport\GrpcTransport::build() and Google\ApiCore\Transport\RestTransport::build() methods for the supported options.

↳ clientCertSource callable

A callable which returns the client cert as a string. This can be used to provide a certificate and private key to the transport layer for mTLS.

generateAccessToken

Generates an OAuth 2.0 access token for a service account.

Parameters
NameDescription
name string

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

scope string[]

Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.

optionalArgs array

Optional.

↳ delegates string[]

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request. The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

↳ lifetime Duration

The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.

↳ retrySettings RetrySettings|array

Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
TypeDescription
Google\Cloud\Iam\Credentials\V1\GenerateAccessTokenResponse
Example
use Google\ApiCore\ApiException;
use Google\Cloud\Iam\Credentials\V1\GenerateAccessTokenResponse;
use Google\Cloud\Iam\Credentials\V1\IAMCredentialsClient;

/**
 * @param string $formattedName The resource name of the service account for which the credentials
 *                              are requested, in the following format:
 *                              `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
 *                              character is required; replacing it with a project ID is invalid. Please see
 *                              {@see IAMCredentialsClient::serviceAccountName()} for help formatting this field.
 * @param string $scopeElement  Code to identify the scopes to be included in the OAuth 2.0 access token.
 *                              See https://developers.google.com/identity/protocols/googlescopes for more
 *                              information.
 *                              At least one value required.
 */
function generate_access_token_sample(string $formattedName, string $scopeElement): void
{
    // Create a client.
    $iAMCredentialsClient = new IAMCredentialsClient();

    // Prepare any non-scalar elements to be passed along with the request.
    $scope = [$scopeElement,];

    // Call the API and handle any network failures.
    try {
        /** @var GenerateAccessTokenResponse $response */
        $response = $iAMCredentialsClient->generateAccessToken($formattedName, $scope);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * Helper to execute the sample.
 *
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = IAMCredentialsClient::serviceAccountName('[PROJECT]', '[SERVICE_ACCOUNT]');
    $scopeElement = '[SCOPE]';

    generate_access_token_sample($formattedName, $scopeElement);
}

generateIdToken

Generates an OpenID Connect ID token for a service account.

Parameters
NameDescription
name string

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

audience string

Required. The audience for the token, such as the API or account that this token grants access to.

optionalArgs array

Optional.

↳ delegates string[]

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request. The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

↳ includeEmail bool

Include the service account email in the token. If set to true, the token will contain email and email_verified claims.

↳ retrySettings RetrySettings|array

Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
TypeDescription
Google\Cloud\Iam\Credentials\V1\GenerateIdTokenResponse
Example
use Google\ApiCore\ApiException;
use Google\Cloud\Iam\Credentials\V1\GenerateIdTokenResponse;
use Google\Cloud\Iam\Credentials\V1\IAMCredentialsClient;

/**
 * @param string $formattedName The resource name of the service account for which the credentials
 *                              are requested, in the following format:
 *                              `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
 *                              character is required; replacing it with a project ID is invalid. Please see
 *                              {@see IAMCredentialsClient::serviceAccountName()} for help formatting this field.
 * @param string $audience      The audience for the token, such as the API or account that this token
 *                              grants access to.
 */
function generate_id_token_sample(string $formattedName, string $audience): void
{
    // Create a client.
    $iAMCredentialsClient = new IAMCredentialsClient();

    // Call the API and handle any network failures.
    try {
        /** @var GenerateIdTokenResponse $response */
        $response = $iAMCredentialsClient->generateIdToken($formattedName, $audience);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * Helper to execute the sample.
 *
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = IAMCredentialsClient::serviceAccountName('[PROJECT]', '[SERVICE_ACCOUNT]');
    $audience = '[AUDIENCE]';

    generate_id_token_sample($formattedName, $audience);
}

signBlob

Signs a blob using a service account's system-managed private key.

Parameters
NameDescription
name string

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

payload string

Required. The bytes to sign.

optionalArgs array

Optional.

↳ delegates string[]

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request. The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

↳ retrySettings RetrySettings|array

Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
TypeDescription
Google\Cloud\Iam\Credentials\V1\SignBlobResponse
Example
use Google\ApiCore\ApiException;
use Google\Cloud\Iam\Credentials\V1\IAMCredentialsClient;
use Google\Cloud\Iam\Credentials\V1\SignBlobResponse;

/**
 * @param string $formattedName The resource name of the service account for which the credentials
 *                              are requested, in the following format:
 *                              `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
 *                              character is required; replacing it with a project ID is invalid. Please see
 *                              {@see IAMCredentialsClient::serviceAccountName()} for help formatting this field.
 * @param string $payload       The bytes to sign.
 */
function sign_blob_sample(string $formattedName, string $payload): void
{
    // Create a client.
    $iAMCredentialsClient = new IAMCredentialsClient();

    // Call the API and handle any network failures.
    try {
        /** @var SignBlobResponse $response */
        $response = $iAMCredentialsClient->signBlob($formattedName, $payload);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * Helper to execute the sample.
 *
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = IAMCredentialsClient::serviceAccountName('[PROJECT]', '[SERVICE_ACCOUNT]');
    $payload = '...';

    sign_blob_sample($formattedName, $payload);
}

signJwt

Signs a JWT using a service account's system-managed private key.

Parameters
NameDescription
name string

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

payload string

Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.

optionalArgs array

Optional.

↳ delegates string[]

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request. The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

↳ retrySettings RetrySettings|array

Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage.

Returns
TypeDescription
Google\Cloud\Iam\Credentials\V1\SignJwtResponse
Example
use Google\ApiCore\ApiException;
use Google\Cloud\Iam\Credentials\V1\IAMCredentialsClient;
use Google\Cloud\Iam\Credentials\V1\SignJwtResponse;

/**
 * @param string $formattedName The resource name of the service account for which the credentials
 *                              are requested, in the following format:
 *                              `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
 *                              character is required; replacing it with a project ID is invalid. Please see
 *                              {@see IAMCredentialsClient::serviceAccountName()} for help formatting this field.
 * @param string $payload       The JWT payload to sign: a JSON object that contains a JWT Claims Set.
 */
function sign_jwt_sample(string $formattedName, string $payload): void
{
    // Create a client.
    $iAMCredentialsClient = new IAMCredentialsClient();

    // Call the API and handle any network failures.
    try {
        /** @var SignJwtResponse $response */
        $response = $iAMCredentialsClient->signJwt($formattedName, $payload);
        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
    } catch (ApiException $ex) {
        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
    }
}

/**
 * Helper to execute the sample.
 *
 * This sample has been automatically generated and should be regarded as a code
 * template only. It will require modifications to work:
 *  - It may require correct/in-range values for request initialization.
 *  - It may require specifying regional endpoints when creating the service client,
 *    please see the apiEndpoint client configuration option for more details.
 */
function callSample(): void
{
    $formattedName = IAMCredentialsClient::serviceAccountName('[PROJECT]', '[SERVICE_ACCOUNT]');
    $payload = '[PAYLOAD]';

    sign_jwt_sample($formattedName, $payload);
}

static::serviceAccountName

Formats a string containing the fully-qualified path to represent a service_account resource.

Parameters
NameDescription
project string
serviceAccount string
Returns
TypeDescription
stringThe formatted service_account resource.

static::parseName

Parses a formatted name string and returns an associative array of the components in the name.

The following name formats are supported: Template: Pattern

  • serviceAccount: projects/{project}/serviceAccounts/{service_account}

The optional $template argument can be supplied to specify a particular pattern, and must match one of the templates listed above. If no $template argument is provided, or if the $template argument does not match one of the templates listed, then parseName will check each of the supported templates, and return the first match.

Parameters
NameDescription
formattedName string

The formatted name string

template string

Optional name of template to match

Returns
TypeDescription
arrayAn associative array from name component IDs to component values.

Constants

SERVICE_NAME

Value: 'google.iam.credentials.v1.IAMCredentials'

The name of the service.

SERVICE_ADDRESS

Value: 'iamcredentials.googleapis.com'

The default address of the service.

DEFAULT_SERVICE_PORT

Value: 443

The default port of the service.

CODEGEN_NAME

Value: 'gapic'

The name of the code generator, to be included in the agent header.