Reference documentation and code samples for the googleauth class Google::Auth::ImpersonatedServiceAccountCredentials.
Authenticates requests using impersonation from base credentials.
This is a two-step process: first authentication claim from the base credentials is created
and then that claim is exchanged for a short-lived token at an IAMCredentials endpoint.
The short-lived token and its expiration time are cached.
Create a ImpersonatedServiceAccountCredentials
When you use service account impersonation, you start with an authenticated principal
(e.g. your user account or a service account)
and request short-lived credentials for a service account
that has the authorization that your use case requires.
Parameter
options (Hash) — A hash of options to configure the credentials.
(Time, nil) — The expiration time of the current access token, used to determine
if the token is still valid
#expires_within?
defexpires_within?(seconds)->Boolean
Determines whether the current access token expires within the specified number of seconds.
Parameter
seconds (Integer) — The number of seconds to check against the token's expiration time.
Returns
(Boolean) — Whether the access token expires within the given time frame
#impersonation_url
defimpersonation_url()->String
Returns
(String) — The URL endpoint used to generate an impersonation token. This URL should follow a specific
format to specify the impersonated service account.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-09 UTC."],[],[],null,["# googleauth - Class Google::Auth::ImpersonatedServiceAccountCredentials (v1.15.0)\n\nVersion latestkeyboard_arrow_down\n\n- [1.15.0 (latest)](/ruby/docs/reference/googleauth/latest/Google-Auth-ImpersonatedServiceAccountCredentials)\n- [1.14.0](/ruby/docs/reference/googleauth/1.14.0/Google-Auth-ImpersonatedServiceAccountCredentials)\n- [1.13.1](/ruby/docs/reference/googleauth/1.13.1/Google-Auth-ImpersonatedServiceAccountCredentials)\n- [1.12.2](/ruby/docs/reference/googleauth/1.12.2/Google-Auth-ImpersonatedServiceAccountCredentials) \nReference documentation and code samples for the googleauth class Google::Auth::ImpersonatedServiceAccountCredentials.\n\nAuthenticates requests using impersonation from base credentials.\nThis is a two-step process: first authentication claim from the base credentials is created\nand then that claim is exchanged for a short-lived token at an IAMCredentials endpoint.\nThe short-lived token and its expiration time are cached. \n\nInherits\n--------\n\n- Object \n\nIncludes\n--------\n\n- [Google::Auth::BaseClient](./Google-Auth-BaseClient)\n- [Google::Auth::Helpers::Connection](./Google-Auth-Helpers-Connection)\n\nMethods\n-------\n\n### .make_creds\n\n def self.make_creds(options = {}) -\u003e Google::Auth::ImpersonatedServiceAccountCredentials\n\nCreate a ImpersonatedServiceAccountCredentials\nWhen you use service account impersonation, you start with an authenticated principal\n(e.g. your user account or a service account)\nand request short-lived credentials for a service account\nthat has the authorization that your use case requires. \n**Parameter**\n\n- **options** (Hash) --- A hash of options to configure the credentials. \n**Returns**\n\n- ([Google::Auth::ImpersonatedServiceAccountCredentials](./Google-Auth-ImpersonatedServiceAccountCredentials))\n\n### #access_token\n\n def access_token() -\u003e String, nil\n\n**Returns**\n\n- (String, nil) --- The short-lived impersonation access token, retrieved and cached after making the impersonation request\n\n### #base_credentials\n\n def base_credentials() -\u003e Object\n\n**Returns**\n\n- (Object) --- The original authenticated credentials used to fetch short-lived impersonation access tokens\n\n### #duplicate\n\n def duplicate(options = {}) -\u003e Google::Auth::ImpersonatedServiceAccountCredentials\n\nCreates a duplicate of these credentials without transient token state \n**Parameter**\n\n- **options** (Hash) ---\n\n Overrides for the credentials parameters.\n The following keys are recognized\n - `base_credentials` the base credentials used to initialize the impersonation\n - `source_credentials` the authenticated credentials which usually would be base credentials with scope overridden to IAM_SCOPE\n - `impersonation_url` the URL to use to make an impersonation token exchange\n- `scope` the scope(s) to access \n**Returns**\n\n- ([Google::Auth::ImpersonatedServiceAccountCredentials](./Google-Auth-ImpersonatedServiceAccountCredentials))\n\n### #expires_at\n\n def expires_at() -\u003e Time, nil\n\n**Returns**\n\n- (Time, nil) --- The expiration time of the current access token, used to determine if the token is still valid\n\n### #expires_within?\n\n def expires_within?(seconds) -\u003e Boolean\n\nDetermines whether the current access token expires within the specified number of seconds. \n**Parameter**\n\n- **seconds** (Integer) --- The number of seconds to check against the token's expiration time. \n**Returns**\n\n- (Boolean) --- Whether the access token expires within the given time frame\n\n### #impersonation_url\n\n def impersonation_url() -\u003e String\n\n**Returns**\n\n- (String) --- The URL endpoint used to generate an impersonation token. This URL should follow a specific format to specify the impersonated service account.\n\n### #initialize\n\n def initialize(options = {}) -\u003e Google::Auth::ImpersonatedServiceAccountCredentials\n\nInitializes a new instance of ImpersonatedServiceAccountCredentials. \n**Parameter**\n\n- **options** (Hash) --- A hash of options to configure the credentials. \n**Returns**\n\n- ([Google::Auth::ImpersonatedServiceAccountCredentials](./Google-Auth-ImpersonatedServiceAccountCredentials)) \n**Raises**\n\n- (ArgumentError) --- If any of the required options are missing.\n\n### #logger\n\n def logger() -\u003e Logger, nil\n\n**Returns**\n\n- (Logger, nil) --- The logger of the credentials.\n\n### #scope\n\n def scope() -\u003e Array\u003cString\u003e, String\n\n**Returns**\n\n- (Array\\\u003cString\\\u003e, String) --- The scope(s) required for the impersonated access token, indicating the permissions needed for the short-lived token\n\n### #source_credentials\n\n def source_credentials() -\u003e Object\n\n**Returns**\n\n- (Object) --- The modified version of base credentials, tailored for impersonation purposes with necessary scope adjustments\n\n### #universe_domain\n\n def universe_domain() -\u003e String\n\nThe universe domain of the impersonated credentials.\nEffectively this retrieves the universe domain of the source credentials. \n**Returns**\n\n- (String) --- The universe domain of the credentials."]]
