Reference documentation and code samples for the googleauth class Google::Auth::ExternalAccount::AwsCredentials.
This module handles the retrieval of credentials from Google Cloud by utilizing the AWS EC2 metadata service and
then exchanging the credentials for a short-lived Google Cloud access token.
Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION environment variable or from the AWS
metadata server availability-zone if not found in the environment variable.
Check AWS credentials in environment variables. If not found, retrieve from the AWS metadata server
security-credentials endpoint.
When retrieving AWS credentials from the metadata server security-credentials endpoint, the AWS role needs to
be determined by # calling the security-credentials endpoint without any argument.
Then the credentials can be retrieved via: security-credentials/role_name
Generate the signed request to AWS STS GetCallerIdentity action.
Inject x-goog-cloud-target-resource into header and serialize the signed request.
This will be the subject-token to pass to GCP STS.
Returns
(string) — The retrieved subject token.
Constants
IMDSV2_TOKEN_EXPIRATION_IN_SECONDS
value: 300 Constant for imdsv2 session token expiration in seconds
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-09 UTC."],[],[],null,["# googleauth - Class Google::Auth::ExternalAccount::AwsCredentials (v1.15.0)\n\nVersion latestkeyboard_arrow_down\n\n- [1.15.0 (latest)](/ruby/docs/reference/googleauth/latest/Google-Auth-ExternalAccount-AwsCredentials)\n- [1.14.0](/ruby/docs/reference/googleauth/1.14.0/Google-Auth-ExternalAccount-AwsCredentials)\n- [1.13.1](/ruby/docs/reference/googleauth/1.13.1/Google-Auth-ExternalAccount-AwsCredentials)\n- [1.12.2](/ruby/docs/reference/googleauth/1.12.2/Google-Auth-ExternalAccount-AwsCredentials) \nReference documentation and code samples for the googleauth class Google::Auth::ExternalAccount::AwsCredentials.\n\nThis module handles the retrieval of credentials from Google Cloud by utilizing the AWS EC2 metadata service and\nthen exchanging the credentials for a short-lived Google Cloud access token. \n\nInherits\n--------\n\n- Object \n\nExtended By\n-----------\n\n- [Google::Auth::CredentialsLoader](./Google-Auth-CredentialsLoader) \n\nIncludes\n--------\n\n- [Google::Auth::ExternalAccount::BaseCredentials](./Google-Auth-ExternalAccount-BaseCredentials)\n- [Google::Auth::ExternalAccount::ExternalAccountUtils](./Google-Auth-ExternalAccount-ExternalAccountUtils)\n\nMethods\n-------\n\n### #client_id\n\n def client_id()\n\nWill always be nil, but method still gets used.\n\n### #initialize\n\n def initialize(options = {}) -\u003e AwsCredentials\n\n**Returns**\n\n- ([AwsCredentials](./Google-Auth-ExternalAccount-AwsCredentials)) --- a new instance of AwsCredentials\n\n### #retrieve_subject_token!\n\n def retrieve_subject_token!() -\u003e string\n\nRetrieves the subject token using the credential_source object.\nThe subject token is a serialized [AWS GetCallerIdentity signed request](https://cloud.google.com/iam/docs/access-resources-aws#exchange-token).\n\n\nThe logic is summarized as:\n\nRetrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION environment variable or from the AWS\nmetadata server availability-zone if not found in the environment variable.\n\nCheck AWS credentials in environment variables. If not found, retrieve from the AWS metadata server\nsecurity-credentials endpoint.\n\nWhen retrieving AWS credentials from the metadata server security-credentials endpoint, the AWS role needs to\nbe determined by # calling the security-credentials endpoint without any argument.\nThen the credentials can be retrieved via: security-credentials/role_name\n\nGenerate the signed request to AWS STS GetCallerIdentity action.\n\n\u003cbr /\u003e\n\nInject x-goog-cloud-target-resource into header and serialize the signed request.\nThis will be the subject-token to pass to GCP STS. \n**Returns**\n\n- (string) --- The retrieved subject token.\n\nConstants\n---------\n\n### IMDSV2_TOKEN_EXPIRATION_IN_SECONDS\n\n**value:** 300 \nConstant for imdsv2 session token expiration in seconds"]]
