@spec fetch(keyword() | map()) :: {:ok, t()} | {:error, Exception.t()}

Fetch the token from the Google API using the given config.

Config may contain the following keys:

• :source - the source to retrieve the token from.

  Supported values include:

  • {:service_account, credentials} - for fetching token using service account credentials

  • {:refresh_token, credentials} - for fetching token using refresh token

  • :metadata - for fetching token using Google internal metadata service

  If :source is not set, Goth will:

  • Check application environment. You can set it with: config :goth, json: File.read!("credentials.json").

  • Check GOOGLE_APPLICATION_CREDENTIALS env variable that contains path to credentials file.

  • Check GOOGLE_APPLICATION_CREDENTIALS_JSON env variable that contains credentials JSON.

  • Check ~/.config/gcloud/application_default_credentials.json file.

  • Check Google internal metadata service

  • Otherwise, raise an error.

  See "Source" section below for more information.

• :http_client - a funtion that makes the HTTP request.

  Can be one of the following:

  • fun - same as {fun, []}

  • {fun, opts} - fun must be a 1-arity funtion that receives a keyword list with fields :method, :url, :headers, and :body along with any passed opts. The funtion must return {:ok, %{status: status, headers: headers, body: body}} or {:error, exception}.

    See "Custom HTTP Client" section below for more information.

  fun can also be an atom :finch to use the built-in Finch-based client.

  Defaults to {:finch, []}.

source

Source

Source can be one of:

Service account - {:service_account, credentials}

Same as {:service_account, credentials, []}

Service account - {:service_account, credentials, options}

The credentials is a map and can contain the following keys:

• "private_key"

• "client_email"

The options is a keywords list and can contain the following keys:

• :url - the URL of the authentication service, defaults to: "https://www.googleapis.com/oauth2/v4/token"

• :scopes - the list of token scopes, defaults to ["https://www.googleapis.com/auth/cloud-platform"] (ignored if :claims present)

• :claims - self-signed JWT extra claims. Should be a map with string keys only. A self-signed JWT will be exchanged for a Google-signed ID token

Refresh token - {:refresh_token, credentials}

Same as {:refresh_token, credentials, []}

Refresh token - {:refresh_token, credentials, options}

The credentials is a map and can contain the following keys:

• "refresh_token"

• "client_id"

• "client_secret"

The options is a keywords list and can contain the following keys:

• :url - the URL of the authentication service, defaults to: "https://www.googleapis.com/oauth2/v4/token"

Google metadata server - :metadata

Same as {:metadata, []}

Google metadata server - {:metadata, options}

The options is a keywords list and can contain the following keys:

• :account - the name of the account to generate the token for, defaults to "default"

• :url - the URL of the metadata server, defaults to "http://metadata.google.internal"

• :audience - the audience you want an identity token for, default to nil If this parameter is provided, an identity token is returned instead of an access token

custom-http-client

Custom HTTP Client

To use a custom HTTP client, define a function that receives a keyword list with fields :method, :url, :headers, and :body. The funtion must return {:ok, %{status: status, headers: headers, body: body}} or {:error, exception}.

Here's an example with Finch:

defmodule MyApp do
  def request_with_finch(options) do
    {method, options} = Keyword.pop!(options, :method)
    {url, options} = Keyword.pop!(options, :url)
    {headers, options} = Keyword.pop!(options, :headers)
    {body, options} = Keyword.pop!(options, :body)

    Finch.build(method, url, headers, body)
    |> Finch.request(Goth.Finch, options)
  end
end

And here is how it can be used:

iex> Goth.Token.fetch(source: source, http_client: &MyApp.request_with_finch/1)
{:ok, %Goth.Token{...}}

iex> Goth.Token.fetch(source: source, http_client: {&MyApp.request_with_finch/1, receive_timeout: 5000})
{:ok, %Goth.Token{...}}

examples

Examples

Generate a token using a service account credentials file:

iex> credentials = "credentials.json" |> File.read!() |> Jason.decode!()
iex> Goth.Token.fetch(source: {:service_account, credentials})
{:ok, %Goth.Token{...}}

You can generate a credentials file containing service account using gcloud utility like this:

$ gcloud iam service-accounts keys create --key-file-type=json --iam-account=... credentials.json

Generate a cloud function invocation token using a service account credentials file:

iex> credentials = "credentials.json" |> File.read!() |> Jason.decode!()
...> claims = %{"target_audience" => "https://<GCP_REGION>-<PROJECT_ID>.cloudfunctions.net/<CLOUD_FUNCTION_NAME>"}
...> Goth.Token.fetch(source: {:service_account, credentials, [claims: claims]})
{:ok, %Goth.Token{...}}

Generate an impersonated token using a service account credentials file:

iex> credentials = "credentials.json" |> File.read!() |> Jason.decode!()
...> claims = %{"sub" => "<IMPERSONATED_ACCOUNT_EMAIL>"}
...> Goth.Token.fetch(source: {:service_account, credentials, [claims: claims]})
{:ok, %Goth.Token{...}}

Retrieve the token using a refresh token:

iex> credentials = "credentials.json" |> File.read!() |> Jason.decode!()
iex> Goth.Token.fetch(source: {:refresh_token, credentials})
{:ok, %Goth.Token{...}}

You can generate a credentials file containing refresh token using gcloud utility like this:

$ gcloud auth application-default login

Retrieve the token using the Google metadata server:

iex> Goth.Token.fetch(source: :metadata})
{:ok, %Goth.Token{...}}

See Storing and retrieving instance metadata for more information on metadata server.

Passing custom Finch options

iex> Goth.Token.fetch(source: source, http_client: {:finch, pool_timeout: 5000})
{:ok, %Goth.Token{...}}