Reference documentation and code samples for the Google Auth Library Client class ExecutableSource.
ExecutableSource enables the exchange of workload identity pool external credentials for
Google access tokens by retrieving 3rd party tokens through a user supplied executable. These
scripts/executables are completely independent of the Google Cloud Auth libraries. These
credentials plug into ADC and will call the specified executable to retrieve the 3rd party token
to be exchanged for a Google access token.
To use these credentials, the GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES environment variable
must be set to '1'. This is for security reasons.
Both OIDC and SAML are supported. The executable must adhere to a specific response format
defined below.
The executable must print out the 3rd party token to STDOUT in JSON format. When an
output_file is specified in the credential configuration, the executable must also handle writing the
JSON response to this file.
The "expiration_time" field in the JSON response is only required for successful
responses when an output file was specified in the credential configuration
The auth libraries will populate certain environment variables that will be accessible by the
executable, such as: GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE, GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE,
GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE, GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL, and
GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE.
Namespace
Google \ Auth \ CredentialSource
Methods
__construct
Parameters
Name
Description
command
string
The string command to run to get the subject token.
outputFile
string|null
executableHandler
?\Google\Auth\ExecutableHandler\ExecutableHandler
getCacheKey
Gets the unique key for caching
The format for the cache key is:
Command.OutputFile
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Google Auth Library Client - Class ExecutableSource (1.47.1)\n\nVersion latestkeyboard_arrow_down\n\n- [1.47.1 (latest)](/php/docs/reference/auth/latest/CredentialSource.ExecutableSource)\n- [1.47.0](/php/docs/reference/auth/1.47.0/CredentialSource.ExecutableSource)\n- [1.46.0](/php/docs/reference/auth/1.46.0/CredentialSource.ExecutableSource)\n- [1.45.2](/php/docs/reference/auth/1.45.2/CredentialSource.ExecutableSource) \nReference documentation and code samples for the Google Auth Library Client class ExecutableSource.\n\nExecutableSource enables the exchange of workload identity pool external credentials for\nGoogle access tokens by retrieving 3rd party tokens through a user supplied executable. These\nscripts/executables are completely independent of the Google Cloud Auth libraries. These\ncredentials plug into ADC and will call the specified executable to retrieve the 3rd party token\nto be exchanged for a Google access token.\n\nTo use these credentials, the GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES environment variable\nmust be set to '1'. This is for security reasons.\n\nBoth OIDC and SAML are supported. The executable must adhere to a specific response format\ndefined below.\n\nThe executable must print out the 3rd party token to STDOUT in JSON format. When an\noutput_file is specified in the credential configuration, the executable must also handle writing the\nJSON response to this file. \n\n```\nOIDC response sample:\n{\n \"version\": 1,\n \"success\": true,\n \"token_type\": \"urn:ietf:params:oauth:token-type:id_token\",\n \"id_token\": \"HEADER.PAYLOAD.SIGNATURE\",\n \"expiration_time\": 1620433341\n}\n\nSAML2 response sample:\n{\n \"version\": 1,\n \"success\": true,\n \"token_type\": \"urn:ietf:params:oauth:token-type:saml2\",\n \"saml_response\": \"...\",\n \"expiration_time\": 1620433341\n}\n\nError response sample:\n{\n \"version\": 1,\n \"success\": false,\n \"code\": \"401\",\n \"message\": \"Error message.\"\n}\n```\n\nThe \"expiration_time\" field in the JSON response is only required for successful\nresponses when an output file was specified in the credential configuration\n\nThe auth libraries will populate certain environment variables that will be accessible by the\nexecutable, such as: GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE, GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE,\nGOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE, GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL, and\nGOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE.\n\nNamespace\n---------\n\nGoogle \\\\ Auth \\\\ CredentialSource\n\nMethods\n-------\n\n### __construct\n\n### getCacheKey\n\nGets the unique key for caching\nThe format for the cache key is:\nCommand.OutputFile\n\n### fetchSubjectToken"]]
