google.auth.compute_engine package

Google Compute Engine authentication.

class Credentials(service_account_email='default')[source]

Bases: google.auth.credentials.ReadOnlyScoped, google.auth.credentials.Credentials

Compute Engine Credentials.

These credentials use the Google Compute Engine metadata server to obtain OAuth 2.0 access tokens associated with the instance’s service account.

For more information about Compute Engine authentication, including how to configure scopes, see the Compute Engine authentication documentation.


Compute Engine instances can be created with scopes and therefore these credentials are considered to be ‘scoped’. However, you can not use with_scopes() because it is not possible to change the scopes that the instance has. Also note that has_scopes() will not work until the credentials have been refreshed.

Parameters:service_account_email (str) – The service account email to use, or ‘default’. A Compute Engine instance may have multiple service accounts.

Refresh the access token and scopes.

Parameters:request (google.auth.transport.Request) – The object used to make HTTP requests.
Raises:google.auth.exceptions.RefreshError – If the Compute Engine metadata service can’t be reached if if the instance has not credentials.

The service account email.


False – Compute Engine credentials can not be scoped.

apply(headers, token=None)[source]

Apply the token to the authentication header.

  • headers (Mapping) – The HTTP request headers.
  • token (Optional [ str ]) – If specified, overrides the current access token.
before_request(request, method, url, headers)[source]

Performs credential-specific before request logic.

Refreshes the credentials if necessary, then calls apply() to apply the token to the authentication header.

  • request (google.auth.transport.Request) – The object used to make HTTP requests.
  • method (str) – The request’s HTTP method or the RPC method being invoked.
  • url (str) – The request’s URI or the RPC service’s URI.
  • headers (Mapping) – The request’s headers.

Checks if the credentials are expired.

Note that credentials can be invalid but not expired becaue Credentials with expiry set to None is considered to never expire.


Checks if the credentials have the given scopes.

Parameters:scopes (Sequence [ str ]) – The list of scopes to check.
Returns:True if the credentials have the given scopes.
Return type:bool

Sequence [ str ] – the credentials’ current set of scopes.


Checks the validity of the credentials.

This is True if the credentials have a token and the token is not expired.