nebius.aio.token.service_account

Service-account based bearer for asynchronous authentication.

• This module provides a convenience ServiceAccountBearer which
• composes several internal bearer implementations to support exchanging
• service account credentials for access tokens, automatic renewal and a
• stable diagnostic name.

• The bearer may be constructed from one of three inputs:

  • a nebius.base.service_account.service_account.Reader instance

    which will be used to read the actual nebius.base.service_account.service_account.ServiceAccount;

• a ready-made nebius.base.service_account.service_account.ServiceAccount;
• a string service account id together with private_key and public_key_id which will be used to build an in-memory ServiceAccount.

Examples Constructing from an environment/CLI-backed reader (recommended):

>>> from nebius.aio.token.service_account import ServiceAccountBearer
>>> from nebius.base.service_account.pk_file import Reader as PKReader
>>> bearer = ServiceAccountBearer(PKReader("/path/to/private_key.pem"))

Constructing from explicit values (private key object required):

>>> from cryptography.hazmat.primitives.serialization import load_pem_private_key
>>> from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
>>> with open("/path/to/private_key.pem","rb") as fh:
...     key = load_pem_private_key(fh.read(), password=None)
>>> bearer = ServiceAccountBearer(
...     "service-account-id",
...     private_key=key,  # type: RSAPrivateKey
...     public_key_id="public-key-id",
... )

The resulting bearer exposes the receiver method used by the SDK's authentication layer. See nebius.aio.token.token for the receiver and token abstractions.