google-cloud-auth

Google Cloud Platform server application authentication library.

Installation

[dependencies]
google-cloud-auth = <version>
google-cloud-token = "0.1.2"

Quickstart

#[tokio::main]
async fn main() -> Result<(), error::Error> {
    use google_cloud_auth::{project::Config, token::DefaultTokenSourceProvider};
    use google_cloud_token::TokenSourceProvider as _;

    let audience = "https://spanner.googleapis.com/";
    let scopes = [
        "https://www.googleapis.com/auth/cloud-platform",
        "https://www.googleapis.com/auth/spanner.data",
    ];
    let config = Config {
        // audience is required only for service account jwt-auth
        // https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth
        audience: Some(audience),
        // scopes is required only for service account Oauth2
        // https://developers.google.com/identity/protocols/oauth2/service-account
        scopes: Some(&scopes),
        sub: None,
    };
    let tsp = DefaultTokenSourceProvider::new(config).await?;
    let ts = tsp.token_source();
    let token = ts.token().await?;
    println!("token is {}", token);
    Ok(())
}

DefaultTokenSourceProvider::new(config) looks for credentials in the following places, preferring the first location found:

1. A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable.
2. A JSON file in a location known to the gcloud command-line tool. On Windows, this is %APPDATA%/gcloud/application_default_credentials.json. On other systems, $HOME/.config/gcloud/application_default_credentials.json.
3. On Google Compute Engine, it fetches credentials from the metadata server.

Supported Credentials

• Service Account(JWT)
• Service Account(OAuth 2.0)
• Authorized User
• External Account
• Google Developers Console client_credentials.json

Supported Workload Identity

https://cloud.google.com/iam/docs/workload-identity-federation

• AWS
• Azure Active Directory
• On-premises Active Directory
• Okta
• Kubernetes clusters