Load a service account token

Load a service account token

Usage

credentials_service_account(scopes = NULL, path = "", ..., subject = NULL)

Arguments

scopes

A character vector of scopes to request. Pick from those listed at https://developers.google.com/identity/protocols/oauth2/scopes.

For certain token flows, the "https://www.googleapis.com/auth/userinfo.email" scope is unconditionally included. This grants permission to retrieve the email address associated with a token; gargle uses this to index cached OAuth tokens. This grants no permission to view or send email and is generally considered a low-value scope.

path

JSON identifying the service account, in one of the forms supported for the txt argument of jsonlite::fromJSON() (typically, a file path or JSON string).

...

Additional arguments passed to all credential functions.

subject

An optional subject claim. Use for a service account which has been granted domain-wide authority by an administrator. Such delegation of domain-wide authority means that the service account is permitted to act on behalf of users, without their consent. Identify the user to impersonate via their email, e.g. subject = "user@example.com".

Value

An httr::TokenServiceAccount or NULL.

Details

Note that fetching a token for a service account requires a reasonably accurate system clock. For more information, see the vignette How gargle gets tokens.

See also

Additional reading on delegation of domain-wide authority:

• https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority

Other credential functions: credentials_app_default(), credentials_byo_oauth2(), credentials_external_account(), credentials_gce(), credentials_user_oauth2(), token_fetch()

Examples

if (FALSE) {
token <- credentials_service_account(
  scopes = "https://www.googleapis.com/auth/userinfo.email",
  path = "/path/to/your/service-account.json"
)
}