google.auth.app_engine module

Google App Engine standard environment support.

This module provides authentication and signing for applications running on App Engine in the standard environment using the App Identity API.

class Signer[source]

Bases: google.auth.crypt.base.Signer

Signs messages using the App Engine App Identity service.

This can be used in place of google.auth.crypt.Signer when running in the App Engine standard environment.

key_id

Optional [ str ] – The key ID used to identify this private key.

Warning

This is always None. The key ID used by App Engine can not be reliably determined ahead of time.

sign(message)[source]

Signs a message.

Parameters:message (Union [ str, bytes ]) – The message to be signed.
Returns:The signature of the message.
Return type:bytes
get_project_id()[source]

Gets the project ID for the current App Engine application.

Returns:The project ID
Return type:str
Raises:EnvironmentError – If the App Engine APIs are unavailable.
class Credentials(scopes=None, service_account_id=None)[source]

Bases: google.auth.credentials.Scoped, google.auth.credentials.Signing, google.auth.credentials.Credentials

App Engine standard environment credentials.

These credentials use the App Engine App Identity API to obtain access tokens.

Parameters:
  • scopes (Sequence [ str ]) – Scopes to request from the App Identity API.
  • service_account_id (str) – The service account ID passed into google.appengine.api.app_identity.get_access_token(). If not specified, the default application service account ID will be used.
Raises:

EnvironmentError – If the App Engine APIs are unavailable.

refresh(request)[source]

Refreshes the access token.

Parameters:request (google.auth.transport.Request) – The object used to make HTTP requests.
Raises:google.auth.exceptions.RefreshError – If the credentials could not be refreshed.
service_account_email

The service account email.

requires_scopes

Checks if the credentials requires scopes.

Returns:True if there are no scopes set otherwise False.
Return type:bool
with_scopes(scopes)[source]

Create a copy of these credentials with the specified scopes.

Parameters:scopes (Sequence [ str ]) – The list of scopes to request.
Raises:NotImplementedError – If the credentials’ scopes can not be changed. This can be avoided by checking requires_scopes before calling this method.
sign_bytes(message)[source]

Signs the given message.

Parameters:message (bytes) – The message to sign.
Returns:The message’s cryptographic signature.
Return type:bytes
signer_email

Optional [ str ] – An email address that identifies the signer.

signer

google.auth.crypt.Signer – The signer used to sign bytes.

apply(headers, token=None)[source]

Apply the token to the authentication header.

Parameters:
  • headers (Mapping) – The HTTP request headers.
  • token (Optional [ str ]) – If specified, overrides the current access token.
before_request(request, method, url, headers)[source]

Performs credential-specific before request logic.

Refreshes the credentials if necessary, then calls apply() to apply the token to the authentication header.

Parameters:
  • request (google.auth.transport.Request) – The object used to make HTTP requests.
  • method (str) – The request’s HTTP method or the RPC method being invoked.
  • url (str) – The request’s URI or the RPC service’s URI.
  • headers (Mapping) – The request’s headers.
expired

Checks if the credentials are expired.

Note that credentials can be invalid but not expired becaue Credentials with expiry set to None is considered to never expire.

has_scopes(scopes)

Checks if the credentials have the given scopes.

Returns:True if the credentials have the given scopes.
Return type:bool
scopes

Sequence [ str ] – the credentials’ current set of scopes.

valid

Checks the validity of the credentials.

This is True if the credentials have a token and the token is not expired.