public class ImpersonatedCredentials extends GoogleCredentials implements ServiceAccountSigner, IdTokenProvider
Usage:
String credPath = "/path/to/svc_account.json"; ServiceAccountCredentials sourceCredentials = ServiceAccountCredentials .fromStream(new FileInputStream(credPath)); sourceCredentials = (ServiceAccountCredentials) sourceCredentials .createScoped(Arrays.asList("https://www.googleapis.com/auth/iam")); ImpersonatedCredentials targetCredentials = ImpersonatedCredentials.create(sourceCredentials, "impersonated-account@project.iam.gserviceaccount.com", null, Arrays.asList("https://www.googleapis.com/auth/devstorage.read_only"), 300); Storage storage_service = StorageOptions.newBuilder().setProjectId("project-id") .setCredentials(targetCredentials).build().getService(); for (Bucket b : storage_service.list().iterateAll()) System.out.println(b);
Modifier and Type | Class and Description |
---|---|
static class |
ImpersonatedCredentials.Builder |
OAuth2Credentials.CredentialsChangedListener
ServiceAccountSigner.SigningException
IdTokenProvider.Option
quotaProjectId
Modifier and Type | Method and Description |
---|---|
static ImpersonatedCredentials |
create(GoogleCredentials sourceCredentials,
String targetPrincipal,
List<String> delegates,
List<String> scopes,
int lifetime) |
static ImpersonatedCredentials |
create(GoogleCredentials sourceCredentials,
String targetPrincipal,
List<String> delegates,
List<String> scopes,
int lifetime,
HttpTransportFactory transportFactory) |
static ImpersonatedCredentials |
create(GoogleCredentials sourceCredentials,
String targetPrincipal,
List<String> delegates,
List<String> scopes,
int lifetime,
HttpTransportFactory transportFactory,
String quotaProjectId) |
static ImpersonatedCredentials |
create(GoogleCredentials sourceCredentials,
String targetPrincipal,
List<String> delegates,
List<String> scopes,
int lifetime,
HttpTransportFactory transportFactory,
String quotaProjectId,
String iamEndpointOverride) |
GoogleCredentials |
createScoped(Collection<String> scopes)
If the credentials support scopes, creates a copy of the identity with the specified scopes;
otherwise, returns the same instance.
|
boolean |
createScopedRequired()
Indicates whether the credentials require scopes to be specified via a call to
GoogleCredentials.createScoped(java.util.Collection<java.lang.String>) before use. |
ImpersonatedCredentials |
createWithCustomCalendar(Calendar calendar)
Clones the impersonated credentials with a new calendar.
|
boolean |
equals(Object obj) |
String |
getAccount()
Returns the email field of the serviceAccount that is being impersonated.
|
GoogleCredentials |
getSourceCredentials() |
int |
hashCode() |
IdToken |
idTokenWithAudience(String targetAudience,
List<IdTokenProvider.Option> options)
Returns an IdToken for the current Credential.
|
static ImpersonatedCredentials.Builder |
newBuilder() |
AccessToken |
refreshAccessToken()
Method to refresh the access token according to the specific type of credentials.
|
void |
setTransportFactory(HttpTransportFactory httpTransportFactory) |
byte[] |
sign(byte[] toSign)
Signs the provided bytes using the private key associated with the impersonated service account
|
ImpersonatedCredentials.Builder |
toBuilder() |
String |
toString() |
create, createDelegated, createScoped, createScoped, createWithCustomRetryStrategy, createWithQuotaProject, fromStream, fromStream, getAdditionalHeaders, getApplicationDefault, getApplicationDefault, getQuotaProjectId
addChangeListener, getAccessToken, getAuthenticationType, getFromServiceLoader, getRequestMetadata, getRequestMetadata, getRequestMetadataInternal, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener
blockingGetToCallback, getRequestMetadata
public static ImpersonatedCredentials create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime, HttpTransportFactory transportFactory)
sourceCredentials
- the source credential used to acquire the impersonated credentials. It
should be either a user account credential or a service account credential.targetPrincipal
- the service account to impersonatedelegates
- the chained list of delegates required to grant the final access_token. If
set, the sequence of identities must have "Service Account Token Creator" capability
granted to the preceding identity. For example, if set to [serviceAccountB,
serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB.
serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token
Creator on target_principal. If unset, sourceCredential must have that role on
targetPrincipal.scopes
- scopes to request during the authorization grantlifetime
- number of seconds the delegated credential should be valid. By default this
value should be at most 3600. However, you can follow these
instructions to set up the service account and extend the maximum lifetime to 43200 (12
hours). If the given lifetime is 0, default value 3600 will be used instead when creating
the credentials.transportFactory
- HTTP transport factory that creates the transport used to get access
tokenspublic static ImpersonatedCredentials create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime, HttpTransportFactory transportFactory, String quotaProjectId)
sourceCredentials
- the source credential used to acquire the impersonated credentials. It
should be either a user account credential or a service account credential.targetPrincipal
- the service account to impersonatedelegates
- the chained list of delegates required to grant the final access_token. If
set, the sequence of identities must have "Service Account Token Creator" capability
granted to the preceding identity. For example, if set to [serviceAccountB,
serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB.
serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token
Creator on target_principal. If unset, sourceCredential must have that role on
targetPrincipal.scopes
- scopes to request during the authorization grantlifetime
- number of seconds the delegated credential should be valid. By default this
value should be at most 3600. However, you can follow these
instructions to set up the service account and extend the maximum lifetime to 43200 (12
hours). If the given lifetime is 0, default value 3600 will be used instead when creating
the credentials.transportFactory
- HTTP transport factory that creates the transport used to get access
tokens.quotaProjectId
- the project used for quota and billing purposes. Should be null unless
the caller wants to use a project different from the one that owns the impersonated
credential for billing/quota purposes.public static ImpersonatedCredentials create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime, HttpTransportFactory transportFactory, String quotaProjectId, String iamEndpointOverride)
sourceCredentials
- the source credential used to acquire the impersonated credentials. It
should be either a user account credential or a service account credential.targetPrincipal
- the service account to impersonatedelegates
- the chained list of delegates required to grant the final access_token. If
set, the sequence of identities must have "Service Account Token Creator" capability
granted to the preceding identity. For example, if set to [serviceAccountB,
serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB.
serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token
Creator on target_principal. If unset, sourceCredential must have that role on
targetPrincipal.scopes
- scopes to request during the authorization grantlifetime
- number of seconds the delegated credential should be valid. By default this
value should be at most 3600. However, you can follow these
instructions to set up the service account and extend the maximum lifetime to 43200 (12
hours). If the given lifetime is 0, default value 3600 will be used instead when creating
the credentials.transportFactory
- HTTP transport factory that creates the transport used to get access
tokens.quotaProjectId
- the project used for quota and billing purposes. Should be null unless
the caller wants to use a project different from the one that owns the impersonated
credential for billing/quota purposes.iamEndpointOverride
- The full IAM endpoint override with the target_principal embedded.
This is useful when supporting impersonation with regional endpoints.public static ImpersonatedCredentials create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime)
sourceCredentials
- the source credential used to acquire the impersonated credentials. It
should be either a user account credential or a service account credential.targetPrincipal
- the service account to impersonatedelegates
- the chained list of delegates required to grant the final access_token. If
set, the sequence of identities must have "Service Account Token Creator" capability
granted to the preceding identity. For example, if set to [serviceAccountB,
serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB.
serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token
Creator on target_principal. If left unset, sourceCredential must have that role on
targetPrincipal.scopes
- scopes to request during the authorization grantlifetime
- number of seconds the delegated credential should be valid. By default this
value should be at most 3600. However, you can follow these
instructions to set up the service account and extend the maximum lifetime to 43200 (12
hours).
https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oauth
If the given lifetime is 0, default value 3600 will be used instead when creating the
credentials.public String getAccount()
getAccount
in interface ServiceAccountSigner
public GoogleCredentials getSourceCredentials()
public void setTransportFactory(HttpTransportFactory httpTransportFactory)
public byte[] sign(byte[] toSign)
sign
in interface ServiceAccountSigner
toSign
- bytes to signSigningException
- if the attempt to sign the provided bytes failedpublic boolean createScopedRequired()
GoogleCredentials
GoogleCredentials.createScoped(java.util.Collection<java.lang.String>)
before use.createScopedRequired
in class GoogleCredentials
public GoogleCredentials createScoped(Collection<String> scopes)
GoogleCredentials
createScoped
in class GoogleCredentials
scopes
- Collection of scopes to request.public ImpersonatedCredentials createWithCustomCalendar(Calendar calendar)
calendar
- the calendar that will be used by the new ImpersonatedCredentials instance when
parsing the received expiration time of the refreshed access tokenpublic AccessToken refreshAccessToken() throws IOException
OAuth2Credentials
Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.
refreshAccessToken
in class OAuth2Credentials
IOException
public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options) throws IOException
idTokenWithAudience
in interface IdTokenProvider
targetAudience
- the audience field for the issued ID tokenoptions
- credential specific options for for the token. For example, an ID token for an
ImpersonatedCredentials can return the email address within the token claims if
"ImpersonatedCredentials.INCLUDE_EMAIL" is provided as a list option.IOException
- if the attempt to get an ID token failedpublic int hashCode()
hashCode
in class OAuth2Credentials
public String toString()
toString
in class OAuth2Credentials
public boolean equals(Object obj)
equals
in class OAuth2Credentials
public ImpersonatedCredentials.Builder toBuilder()
toBuilder
in class GoogleCredentials
public static ImpersonatedCredentials.Builder newBuilder()
Copyright © 2023 Google. All rights reserved.