Google Cloud Platform server application authentication library.
[dependencies]
google-cloud-auth = <version>
google-cloud-token = "0.1.2"#[tokio::main]
async fn main() -> Result<(), error::Error> {
use google_cloud_auth::{project::Config, token::DefaultTokenSourceProvider};
use google_cloud_token::TokenSourceProvider as _;
let audience = "https://spanner.googleapis.com/";
let scopes = [
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/spanner.data",
];
let config = Config {
// audience is required only for service account jwt-auth
// https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth
audience: Some(audience),
// scopes is required only for service account Oauth2
// https://developers.google.com/identity/protocols/oauth2/service-account
scopes: Some(&scopes),
sub: None,
};
let tsp = DefaultTokenSourceProvider::new(config).await?;
let ts = tsp.token_source();
let token = ts.token().await?;
println!("token is {}", token);
Ok(())
}DefaultTokenSourceProvider::new(config) looks for credentials in the following places,
preferring the first location found:
- A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable.
- A JSON file in a location known to the gcloud command-line tool. On Windows, this is %APPDATA%/gcloud/application_default_credentials.json. On other systems, $HOME/.config/gcloud/application_default_credentials.json.
- On Google Compute Engine, it fetches credentials from the metadata server.
- Service Account(JWT)
- Service Account(OAuth 2.0)
- Authorized User
- External Account
- Google Developers Console client_credentials.json
https://cloud.google.com/iam/docs/workload-identity-federation
- AWS
- Azure Active Directory
- On-premises Active Directory
- Okta
- Kubernetes clusters