gcs_client.credentials module

class gcs_client.credentials.Credentials(key_file_name, email=None, scope='OWNER')[source]

Bases: oauth2client.client.SignedJwtAssertionCredentials

GCS Credentials used to access servers.

Initialize credentials used for all GCS operations.

Create OAuth 2.0 credentials to access GCS from a JSON file or a P12 and email address.

Since this library is meant to work outside of Google App Engine and Google Compute Engine, you must obtain these credential files in the Google Developers Console. To generate service-account credentials, or to view the public credentials that you’ve already generated, do the following:

  1. Open the Credentials page.

  2. To set up a new service account, do the following:

    1. Click Add credentials > Service account.
    2. Choose whether to download the service account’s public/private key as a JSON file (preferred) or standard P12 file.

    Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of this key. You are responsible for storing it securely.

You can return to the Developers Console at any time to view the client ID, email address, and public key fingerprints, or to generate additional public/private key pairs. For more details about service account credentials in the Developers Console, see Service accounts in the Developers Console help file.

Parameters:
  • key_file_name (String) – Name of the file with the credentials to use.
  • email (String) – Service account’s Email address to use with P12 file. When using JSON files this argument will be ignored.
  • scope (String) – Scopes that the credentials should be granted access to. Value must be one of Credentials.scope_urls.keys()
apply(headers)[source]

Add the authorization to the headers.

Args:
headers: dict, the headers to add the Authorization header to.
authorize(http)[source]

Authorize an httplib2.Http instance with these credentials.

The modified http.request method will add authentication headers to each request and will refresh access_tokens when a 401 is received on a request. In addition the http.request method has a credentials property, http.request.credentials, which is the Credentials object that authorized it.

Args:
http: An instance of httplib2.Http or something that acts
like it.
Returns:
A modified instance of http that was passed in.

Example:

h = httplib2.Http()
h = credentials.authorize(h)

You can’t create a new OAuth subclass of httplib2.Authentication because it never gets passed the absolute URI, which is needed for signing. So instead we have to overload ‘request’ with a closure that adds in the Authorization header and then calls the original version of ‘request()’.

create_scoped(scopes)

Create a Credentials object for the given scopes.

The Credentials type is preserved.

create_scoped_required()

Whether this Credentials object is scopeless.

create_scoped(scopes) method needs to be called in order to create a Credentials object for API calls.

from_json(s)[source]
from_stream(credential_filename)

Create a Credentials object by reading information from a file.

It returns an object of type GoogleCredentials.

Args:
credential_filename: the path to the file from where the
credentials are to be read
Raises:
ApplicationDefaultCredentialsError: raised when the credentials
fail to be retrieved.
get_access_token(http=None)

Return the access token and its expiration information.

If the token does not exist, get one. If the token expired, refresh it.

get_application_default()

Get the Application Default Credentials for the current environment.

Raises:
ApplicationDefaultCredentialsError: raised when the credentials
fail to be retrieved.
has_scopes(scopes)

Verify that the credentials are authorized for the given scopes.

Returns True if the credentials authorized scopes contain all of the scopes given.

Args:
scopes: list or string, the scopes to check.
Notes:
There are cases where the credentials are unaware of which scopes are authorized. Notably, credentials obtained and stored before this code was added will not have scopes, AccessTokenCredentials do not have scopes. In both cases, you can use refresh_scopes() to obtain the canonical set of scopes.
new_from_json(s)[source]

Utility class method to instantiate a Credentials subclass from JSON.

Expects the JSON string to have been produced by to_json().

Args:
s: string or bytes, JSON from to_json().
Returns:
An instance of the subclass of Credentials that was serialized with to_json().
refresh(http)[source]

Forces a refresh of the access_token.

Args:
http: httplib2.Http, an http object to be used to make the refresh
request.
retrieve_scopes(http)

Retrieves the canonical list of scopes for this access token.

Gets the scopes from the OAuth2 provider.

Args:
http: httplib2.Http, an http object to be used to make the refresh
request.
Returns:
A set of strings containing the canonical list of scopes.
revoke(http)[source]

Revokes a refresh_token and makes the credentials void.

Args:
http: httplib2.Http, an http object to be used to make the revoke
request.
set_store(store)

Set the Storage for the credential.

Args:
store: Storage, an implementation of Storage object.
This is needed to store the latest access_token if it has expired and been refreshed. This implementation uses locking to check for updates before updating the access_token.
to_json()[source]
MAX_TOKEN_LIFETIME_SECS = 3600
NON_SERIALIZED_MEMBERS = ['store']
access_token_expired

True if the credential is expired or invalid.

If the token_expiry isn’t set, we assume the token doesn’t expire.

authorization

Authorization header value for GCS requests.

common_url = 'https://www.googleapis.com/auth/'
scope_urls = {'OWNER': 'devstorage.full_control', 'WRITER': 'devstorage.read_write', 'CLOUD': 'cloud-platform', 'READER': 'devstorage.read_only'}
serialization_data

Get the fields and values identifying the current credentials.