user-guide.rst - OpenGrok cross reference for /aosp_15_r20/external/python/google-auth-library-python/docs/user-guide.rst

Lines Matching full:credentials
6 Credentials and account types
9 :class:`~credentials.Credentials` are the means of identifying an application or
10 user to a service or API. Credentials can be obtained with three different types
13 Credentials from service accounts identify a particular application. These types
14 of credentials are used in server-to-server use cases, such as accessing a
15 database. This library primarily focuses on service account credentials.
17 Credentials from user accounts are obtained by asking the user to authorize
18 access to their data. These types of credentials are used in cases where your
21 obtaining user credentials, but does provide limited support for using user
22 credentials.
24 Credentials from external accounts (workload identity federation) are used to
29 Obtaining credentials
34 Application default credentials
37 `Google Application Default Credentials`_ abstracts authentication across the
40 installed, :func:`default` can automatically determine the credentials from the
45     credentials, project = google.auth.default()
49     credentials, project = google.auth.default(
52 Application Default Credentials also support workload identity federation to
59 .. _Google Application Default Credentials:
61     application-default-credentials
68 A service account private key file can be used to obtain credentials for a
69 service account. You can create a private key using the `Credentials page of the
71 credentials one of three ways:
80    Then, use :ref:`application default credentials <application-default>`.
83    credentials you explicitly specify.
85 2. Use :meth:`service_account.Credentials.from_service_account_file
86    <google.oauth2.service_account.Credentials.from_service_account_file>`::
90         credentials = service_account.Credentials.from_service_account_file(
93         scoped_credentials = credentials.with_scopes(
96 3. Use :meth:`service_account.Credentials.from_service_account_info
97    <google.oauth2.service_account.Credentials.from_service_account_info>`::
104         credentials = service_account.Credentials.from_service_account_info(
107         scoped_credentials = credentials.with_scopes(
114     https://console.cloud.google.com/apis/credentials
120 Engine flexible environment`_ can obtain credentials provided by `Compute
122 credentials for the service account one of two ways:
124 1. Use :ref:`application default credentials <application-default>`.
125    :func:`default` will automatically detect if these credentials are available.
127 2. Use :class:`compute_engine.Credentials`::
131         credentials = compute_engine.Credentials()
144 credentials provided by the `App Engine App Identity API`_. You can obtain
145 credentials one of two ways:
147 1. Use :ref:`application default credentials <application-default>`.
148    :func:`default` will automatically detect if these credentials are available.
150 2. Use :class:`app_engine.Credentials`::
154         credentials = app_engine.Credentials()
157 credentials and transports provided by this library, you need to follow a few
186 User credentials
189 User credentials are typically obtained via `OAuth 2.0`_. This library does not
190 provide any direct support for *obtaining* user credentials, however, you can
191 use user credentials with this library. You can use libraries such as
193 can create a :class:`google.oauth2.credentials.Credentials` instance::
195     import google.oauth2.credentials
197     credentials = google.oauth2.credentials.Credentials(
201 URI to allow the credentials to be automatically refreshed::
203     credentials = google.oauth2.credentials.Credentials(
213 user credentials. You can use
215 :class:`google.oauth2.credentials.Credentials` from a 
223 2.0 Authorization Grant Flow to obtain credentials using `requests-oauthlib`_.
234 External credentials (Workload identity federation)
310 local file location (file-sourced credentials) or from a local server
311 (URL-sourced credentials).
313 - For file-sourced credentials, a background process needs to be continuously
317 - For URL-sourced credentials, a local server needs to host a GET endpoint to
333 Application Default Credentials.
334 In order to use external identities with Application Default Credentials, you
335 need to generate the JSON credentials configuration file for your external
345 credentials from the context provided in the configuration file::
349     credentials, project = google.auth.default()
351 When using external identities with Application Default Credentials,
362 For Azure and OIDC providers, use :meth:`identity_pool.Credentials.from_info
363 <google.auth.identity_pool.Credentials.from_info>` or
364 :meth:`identity_pool.Credentials.from_file
365 <google.auth.identity_pool.Credentials.from_file>`::
372     credentials = identity_pool.Credentials.from_info(json_config_info)
373     scoped_credentials = credentials.with_scopes(
376 For AWS providers, use :meth:`aws.Credentials.from_info
377 <google.auth.aws.Credentials.from_info>` or
378 :meth:`aws.Credentials.from_file
379 <google.auth.aws.Credentials.from_file>`::
386     credentials = aws.Credentials.from_info(json_config_info)
387     scoped_credentials = credentials.with_scopes(
391 Impersonated credentials
394 Impersonated Credentials allows one set of credentials issued to a user or service account
395 to impersonate another.  The source credentials must be granted 
401     source_credentials = service_account.Credentials.from_service_account_file(
405     target_credentials = impersonated_credentials.Credentials(
410     client = storage.Client(credentials=target_credentials)
421 Downscoped credentials
435 generate these downscoped credentials from higher access source credentials and
440 …Credential Access Boundaries: https://cloud.google.com/iam/docs/downscoping-short-lived-credentials  argument
465     # Retrieve the source credentials via ADC. 
468     # Create the downscoped credentials.
469     downscoped_credentials = downscoped.Credentials(
486 The broker will instantiate downscoped credentials instances that can be used to
489 `google.oauth2.Credentials` and used to initialize a storage client instance to
506     # Create the OAuth credentials from the downscoped token and pass a
510     credentials = google.oauth2.credentials.Credentials(
516     # Initialize a storage client with the oauth2 credentials.
518         project='my_project_id', credentials=credentials)
527 Another reason to use downscoped credentials is to ensure tokens in flight
530     # Create the downscoped credentials.
531     downscoped_credentials = downscoped.Credentials(
539         project='my_project_id', credentials=downscoped_credentials)
540     # If the source credentials have elevated levels of access, the
596 has application default credentials set via `GOOGLE_APPLICATION_CREDENTIALS`
662 Once you have credentials you can attach them to a *transport*. You can then
676     authed_session = AuthorizedSession(credentials)
695     authed_http = AuthorizedHttp(credentials)
706     authed_http = AuthorizedHttp(credentials, http)
712 google-auth can provide `Call Credentials`_ for gRPC. The easiest way to do
721         credentials, http_request, 'pubsub.googleapis.com:443')
727     be used. Additionally, if you know that your credentials do not need to
729     :class:`jwt.Credentials`) then you can specify ``None``.
736     metadata_plugin = AuthMetadataPlugin(credentials, http_request)
742     # Create SSL channel credentials.
745     # Combine the ssl credentials and the authorization credentials.
768 .. _Call Credentials: