public sealed class ImpersonatedCredential : ServiceCredential, IHttpUnsuccessfulResponseHandler, IOidcTokenProvider, ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IHttpExecuteInterceptor, IBlobSignerAllows a service account or user credential to impersonate a service account. See https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials and https://cloud.google.com/iam/docs/impersonating-service-accounts for more information.
Implements
IHttpUnsuccessfulResponseHandler, IOidcTokenProvider, ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IHttpExecuteInterceptor, IBlobSignerNamespace
Google.Apis.Auth.OAuth2Assembly
Google.Apis.Auth.dll
Remarks
This credential type does not validate the credential configuration. A security risk occurs when a credential configuration configured with malicious urls is used. You should validate credential configurations provided by untrusted sources. See Security requirements when using credential configurations from an external source for more details.
Properties
DelegateAccounts
public IEnumerable<string> DelegateAccounts { get; }Gets the chained list of delegate service accounts. May be empty.
| Property Value | |
|---|---|
| Type | Description |
IEnumerablestring |
|
Lifetime
public TimeSpan Lifetime { get; }Gets the lifetime of the delegated credential. This is how long the delegated credential should be valid from the time of the first request made with this credential.
| Property Value | |
|---|---|
| Type | Description |
TimeSpan |
|
SourceCredential
public GoogleCredential SourceCredential { get; }Gets the source credential used to acquire the impersonated credentials.
| Property Value | |
|---|---|
| Type | Description |
GoogleCredential |
|
TargetPrincipal
public string TargetPrincipal { get; }Gets the service account to impersonate.
| Property Value | |
|---|---|
| Type | Description |
string |
|
Methods
GetOidcTokenAsync(OidcTokenOptions, CancellationToken)
public Task<OidcToken> GetOidcTokenAsync(OidcTokenOptions options, CancellationToken cancellationToken = default)Returns an OIDC token for the given options.
| Parameters | |
|---|---|
| Name | Description |
options |
OidcTokenOptionsThe options to create the token from. |
cancellationToken |
CancellationTokenThe cancellation token that may be used to cancel the request. |
| Returns | |
|---|---|
| Type | Description |
TaskOidcToken |
The OIDC token. |
RequestAccessTokenAsync(CancellationToken)
public override Task<bool> RequestAccessTokenAsync(CancellationToken taskCancellationToken)Requests a new token.
| Parameter | |
|---|---|
| Name | Description |
taskCancellationToken |
CancellationTokenCancellation token to cancel operation. |
| Returns | |
|---|---|
| Type | Description |
Taskbool |
|
SignBlobAsync(byte[], CancellationToken)
public Task<string> SignBlobAsync(byte[] blob, CancellationToken cancellationToken = default)Signs the provided blob using the private key associated with the impersonated service account.
| Parameters | |
|---|---|
| Name | Description |
blob |
System.ByteThe blob to sign. |
cancellationToken |
CancellationTokenCancellation token to cancel operation. |
| Returns | |
|---|---|
| Type | Description |
Taskstring |
The base64 encoded signature. |
| Exceptions | |
|---|---|
| Type | Description |
HttpRequestException |
When signing request fails. |
Newtonsoft.Json.JsonException |
When signing response is not a valid JSON. |
ToGoogleCredential()
public GoogleCredential ToGoogleCredential()Creates a GoogleCredential from this credential.
| Returns | |
|---|---|
| Type | Description |
GoogleCredential |
|