generateAccessToken(name, body=None, x__xgafv=None)
Generates an OAuth 2.0 access token for a service account.
generateIdToken(name, body=None, x__xgafv=None)
Generates an OpenID Connect ID token for a service account.
signBlob(name, body=None, x__xgafv=None)
Signs a blob using a service account's system-managed private key.
signJwt(name, body=None, x__xgafv=None)
Signs a JWT using a service account's system-managed private key.
generateAccessToken(name, body=None, x__xgafv=None)
Generates an OAuth 2.0 access token for a service account.
Args:
name: string, Required. The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
body: object, The request body.
The object takes the form of:
{
"scope": [ # Required. Code to identify the scopes to be included in the OAuth 2.0 access token.
# See https://developers.google.com/identity/protocols/googlescopes for more
# information.
# At least one value required.
"A String",
],
"delegates": [ # The sequence of service accounts in a delegation chain. Each service
# account must be granted the `roles/iam.serviceAccountTokenCreator` role
# on its next service account in the chain. The last service account in the
# chain must be granted the `roles/iam.serviceAccountTokenCreator` role
# on the service account that is specified in the `name` field of the
# request.
#
# The delegates must have the following format:
# `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
# character is required; replacing it with a project ID is invalid.
"A String",
],
"lifetime": "A String", # The desired lifetime duration of the access token in seconds.
# Must be set to a value less than or equal to 3600 (1 hour). If a value is
# not specified, the token's lifetime will be set to a default value of one
# hour.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{
"expireTime": "A String", # Token expiration time.
# The expiration time is always set.
"accessToken": "A String", # The OAuth 2.0 access token.
}
generateIdToken(name, body=None, x__xgafv=None)
Generates an OpenID Connect ID token for a service account.
Args:
name: string, Required. The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
body: object, The request body.
The object takes the form of:
{
"audience": "A String", # Required. The audience for the token, such as the API or account that this token
# grants access to.
"includeEmail": True or False, # Include the service account email in the token. If set to `true`, the
# token will contain `email` and `email_verified` claims.
"delegates": [ # The sequence of service accounts in a delegation chain. Each service
# account must be granted the `roles/iam.serviceAccountTokenCreator` role
# on its next service account in the chain. The last service account in the
# chain must be granted the `roles/iam.serviceAccountTokenCreator` role
# on the service account that is specified in the `name` field of the
# request.
#
# The delegates must have the following format:
# `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
# character is required; replacing it with a project ID is invalid.
"A String",
],
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{
"token": "A String", # The OpenId Connect ID token.
}
signBlob(name, body=None, x__xgafv=None)
Signs a blob using a service account's system-managed private key.
Args:
name: string, Required. The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
body: object, The request body.
The object takes the form of:
{
"payload": "A String", # Required. The bytes to sign.
"delegates": [ # The sequence of service accounts in a delegation chain. Each service
# account must be granted the `roles/iam.serviceAccountTokenCreator` role
# on its next service account in the chain. The last service account in the
# chain must be granted the `roles/iam.serviceAccountTokenCreator` role
# on the service account that is specified in the `name` field of the
# request.
#
# The delegates must have the following format:
# `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
# character is required; replacing it with a project ID is invalid.
"A String",
],
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{
"keyId": "A String", # The ID of the key used to sign the blob. The key used for signing will
# remain valid for at least 12 hours after the blob is signed. To verify the
# signature, you can retrieve the public key in several formats from the
# following endpoints:
#
# - RSA public key wrapped in an X.509 v3 certificate:
# `https://www.googleapis.com/service_accounts/v1/metadata/x509/{ACCOUNT_EMAIL}`
# - Raw key in JSON format:
# `https://www.googleapis.com/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}`
# - JSON Web Key (JWK):
# `https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACCOUNT_EMAIL}`
"signedBlob": "A String", # The signature for the blob. Does not include the original blob.
#
# After the key pair referenced by the `key_id` response field expires,
# Google no longer exposes the public key that can be used to verify the
# blob. As a result, the receiver can no longer verify the signature.
}
signJwt(name, body=None, x__xgafv=None)
Signs a JWT using a service account's system-managed private key.
Args:
name: string, Required. The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
body: object, The request body.
The object takes the form of:
{
"payload": "A String", # Required. The JWT payload to sign. Must be a serialized JSON object that contains a
# JWT Claim Set. For example: `{"sub": "user@example.com", "iat": 313435}`
#
# If the claim set contains an `exp` claim, it must be an integer timestamp
# that is not in the past and at most 12 hours in the future.
"delegates": [ # The sequence of service accounts in a delegation chain. Each service
# account must be granted the `roles/iam.serviceAccountTokenCreator` role
# on its next service account in the chain. The last service account in the
# chain must be granted the `roles/iam.serviceAccountTokenCreator` role
# on the service account that is specified in the `name` field of the
# request.
#
# The delegates must have the following format:
# `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
# character is required; replacing it with a project ID is invalid.
"A String",
],
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{
"keyId": "A String", # The ID of the key used to sign the JWT. The key used for signing will
# remain valid for at least 12 hours after the JWT is signed. To verify the
# signature, you can retrieve the public key in several formats from the
# following endpoints:
#
# - RSA public key wrapped in an X.509 v3 certificate:
# `https://www.googleapis.com/service_accounts/v1/metadata/x509/{ACCOUNT_EMAIL}`
# - Raw key in JSON format:
# `https://www.googleapis.com/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}`
# - JSON Web Key (JWK):
# `https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACCOUNT_EMAIL}`
"signedJwt": "A String", # The signed JWT. Contains the automatically generated header; the
# client-supplied payload; and the signature, which is generated using the
# key referenced by the `kid` field in the header.
#
# After the key pair referenced by the `key_id` response field expires,
# Google no longer exposes the public key that can be used to verify the JWT.
# As a result, the receiver can no longer verify the signature.
}