Class: Anthropic::Credentials::WorkloadIdentity

Inherits:

Object

• Object
• Anthropic::Credentials::WorkloadIdentity

Defined in:

lib/anthropic/credentials/workload_identity.rb

Overview

Exchanges an external OIDC JWT for an Anthropic access token via the RFC 7523 jwt-bearer grant.

This is an access token provider: calling it performs a fresh token exchange. Wrap in a TokenCache (done automatically when passed as credentials: to Anthropic::Client) to avoid exchanging on every request.

Constant Summary

MAX_ASSERTION_BYTES =

Maximum size in bytes for the identity token JWT. JWTs from real IdPs are <4 KiB; a 16 KiB ceiling catches misconfiguration.

16 * 1024

Instance Method Summary

• #bind_base_url(base_url) ⇒ void

  Sets the API base_url the token exchange POSTs to.

• #call(force_refresh: false) ⇒ AccessToken

  Performs the token exchange and returns an access token.

• #initialize(identity_token_provider:, federation_rule_id:, organization_id:, service_account_id: nil, scope: nil) ⇒ WorkloadIdentity constructor

  A new instance of WorkloadIdentity.

Constructor Details

#initialize(identity_token_provider:, federation_rule_id:, organization_id:, service_account_id: nil, scope: nil) ⇒ WorkloadIdentity

Returns a new instance of WorkloadIdentity.

Parameters:

• identity_token_provider (#call) —

  callable that returns the external OIDC JWT string (e.g., IdentityTokenFile or a Proc/lambda)

• federation_rule_id (String) —

  the federation rule ID configured in the Anthropic Console

• organization_id (String) —

  the organization’s raw UUID string

• service_account_id (String, nil) (defaults to: nil) —

  optional service account ID to impersonate

• scope (String, nil) (defaults to: nil) —

  optional OAuth scope (informational only for federation; the server derives the effective scope from the federation rule)

# File 'lib/anthropic/credentials/workload_identity.rb', line 58

def initialize(
  identity_token_provider:,
  federation_rule_id:,
  organization_id:,
  service_account_id: nil,
  scope: nil # rubocop:disable Lint/UnusedMethodArgument
)
  @identity_token_provider = identity_token_provider
  @federation_rule_id = federation_rule_id
  @organization_id = organization_id
  @service_account_id = service_account_id
  @bound_base_url = nil
end

Instance Method Details

#bind_base_url(base_url) ⇒ void

This method returns an undefined value.

Sets the API base_url the token exchange POSTs to.

Called by Anthropic::Client when this object is passed as credentials:, so callers don’t pass the same URL twice. For standalone use (no client) or tests, call this directly.

Parameters:

• base_url (String) —

  the API base URL (must be HTTPS except for localhost)

Raises:

• (Anthropic::Errors::ConfigurationError) —

  if the URL is not HTTPS

# File 'lib/anthropic/credentials/workload_identity.rb', line 81

def bind_base_url(base_url)
  bound = base_url.to_s.chomp("/")
  Anthropic::Config.require_https!(bound, field: "base_url")
  @bound_base_url = bound
end

#call(force_refresh: false) ⇒ AccessToken

Performs the token exchange and returns an access token.

Re-invokes the identity token provider on every call — the underlying file or environment variable may have rotated.

Parameters:

• force_refresh (Boolean) (defaults to: false) —

  ignored; this provider has no cache to bypass

Returns:

• (AccessToken) —

  the exchanged access token with expiry

Raises:

• (WorkloadIdentityError) —

  if the exchange fails

# File 'lib/anthropic/credentials/workload_identity.rb', line 95

def call(force_refresh: false) # rubocop:disable Lint/UnusedMethodArgument
  jwt = @identity_token_provider.call

  if jwt.bytesize > MAX_ASSERTION_BYTES
    raise WorkloadIdentityError,
          "Identity token assertion is #{jwt.bytesize} bytes, exceeding #{MAX_ASSERTION_BYTES}-byte limit"
  end

  perform_exchange(jwt)
end