com.google.auth.oauth2

Class ServiceAccountCredentials

java.lang.Object

com.google.auth.Credentials

com.google.auth.oauth2.OAuth2Credentials

com.google.auth.oauth2.GoogleCredentials

com.google.auth.oauth2.ServiceAccountCredentials

All Implemented Interfaces:

IdTokenProvider, JwtProvider, QuotaProjectIdProvider, ServiceAccountSigner, Serializable

public class ServiceAccountCredentials
extends GoogleCredentials
implements ServiceAccountSigner, IdTokenProvider, JwtProvider

OAuth2 credentials representing a Service Account for calling Google APIs.

By default uses a JSON Web Token (JWT) to fetch access tokens.

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	ServiceAccountCredentials.Builder

Nested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials

OAuth2Credentials.CredentialsChangedListener

Nested classes/interfaces inherited from interface com.google.auth.ServiceAccountSigner

ServiceAccountSigner.SigningException

Nested classes/interfaces inherited from interface com.google.auth.oauth2.IdTokenProvider

IdTokenProvider.Option

Field Summary

Fields inherited from class com.google.auth.oauth2.GoogleCredentials

quotaProjectId

Method Summary

Modifier and Type	Method and Description
GoogleCredentials	createDelegated(String user) If the credentials support domain-wide delegation, creates a copy of the identity so that it impersonates the specified user; otherwise, returns the same instance.
GoogleCredentials	createScoped(Collection<String> newScopes) Clones the service account with the specified scopes.
GoogleCredentials	createScoped(Collection<String> newScopes, Collection<String> newDefaultScopes) Clones the service account with the specified scopes.
boolean	createScopedRequired() Returns whether the scopes are empty, meaning createScoped must be called before use.
ServiceAccountCredentials	createWithCustomLifetime(int lifetime) Clones the service account with a new lifetime value.
ServiceAccountCredentials	createWithCustomRetryStrategy(boolean defaultRetriesEnabled) Clones the service account with the specified default retries.
ServiceAccountCredentials	createWithUseJwtAccessWithScope(boolean useJwtAccessWithScope) Clones the service account with a new useJwtAccessWithScope value.
boolean	equals(Object obj)
static ServiceAccountCredentials	fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes) Factory with minimum identifying information using PKCS#8 for the private key.
static ServiceAccountCredentials	fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes) Factory with minimum identifying information using PKCS#8 for the private key.
static ServiceAccountCredentials	fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes, HttpTransportFactory transportFactory, URI tokenServerUri) Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
static ServiceAccountCredentials	fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes, HttpTransportFactory transportFactory, URI tokenServerUri, String serviceAccountUser) Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
static ServiceAccountCredentials	fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri) Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
static ServiceAccountCredentials	fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri, String serviceAccountUser) Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
static ServiceAccountCredentials	fromStream(InputStream credentialsStream) Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.
static ServiceAccountCredentials	fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory) Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.
String	getAccount() Returns the service account associated with the signer.
String	getClientEmail()
String	getClientId()
Collection<String>	getDefaultScopes()
PrivateKey	getPrivateKey()
String	getPrivateKeyId()
String	getProjectId()
Map<String,List<String>>	getRequestMetadata(URI uri) Provide the request metadata by putting an access JWT directly in the metadata.
void	getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback) Get the current request metadata without blocking.
Collection<String>	getScopes()
String	getServiceAccountUser()
URI	getTokenServerUri()
boolean	getUseJwtAccessWithScope()
int	hashCode()
IdToken	idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options) Returns a Google ID Token from the metadata server on ComputeEngine.
JwtCredentials	jwtWithClaims(JwtClaims newClaims) Returns a new JwtCredentials instance with modified claims.
static ServiceAccountCredentials.Builder	newBuilder()
AccessToken	refreshAccessToken() Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).
byte[]	sign(byte[] toSign) Signs the provided bytes using the private key associated with the service account.
ServiceAccountCredentials.Builder	toBuilder()
String	toString()

Methods inherited from class com.google.auth.oauth2.GoogleCredentials

create, createScoped, createWithQuotaProject, getAdditionalHeaders, getApplicationDefault, getApplicationDefault, getQuotaProjectId

Methods inherited from class com.google.auth.oauth2.OAuth2Credentials

addChangeListener, getAccessToken, getAuthenticationType, getFromServiceLoader, getRequestMetadataInternal, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener

Methods inherited from class com.google.auth.Credentials

blockingGetToCallback, getRequestMetadata

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Method Detail

fromPkcs8

public static ServiceAccountCredentials fromPkcs8(String clientId,
                                                  String clientEmail,
                                                  String privateKeyPkcs8,
                                                  String privateKeyId,
                                                  Collection<String> scopes)
                                           throws IOException

Factory with minimum identifying information using PKCS#8 for the private key.

Parameters:

clientId - Client ID of the service account from the console. May be null.

clientEmail - Client email address of the service account from the console.

privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.

privateKeyId - Private key identifier for the service account. May be null.

scopes - Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

Returns:

New ServiceAccountCredentials created from a private key.

Throws:

IOException - if the credential cannot be created from the private key.

fromPkcs8

public static ServiceAccountCredentials fromPkcs8(String clientId,
                                                  String clientEmail,
                                                  String privateKeyPkcs8,
                                                  String privateKeyId,
                                                  Collection<String> scopes,
                                                  Collection<String> defaultScopes)
                                           throws IOException

Factory with minimum identifying information using PKCS#8 for the private key.

Parameters:

clientId - client ID of the service account from the console. May be null.

clientEmail - client email address of the service account from the console

privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.

privateKeyId - private key identifier for the service account. May be null.

scopes - scope strings for the APIs to be called. May be null or an empty collection.

defaultScopes - default scope strings for the APIs to be called. May be null or an empty.

Returns:

new ServiceAccountCredentials created from a private key

Throws:

IOException - if the credential cannot be created from the private key

fromPkcs8

public static ServiceAccountCredentials fromPkcs8(String clientId,
                                                  String clientEmail,
                                                  String privateKeyPkcs8,
                                                  String privateKeyId,
                                                  Collection<String> scopes,
                                                  HttpTransportFactory transportFactory,
                                                  URI tokenServerUri)
                                           throws IOException

Factory with minimum identifying information and custom transport using PKCS#8 for the private key.

Parameters:

clientId - Client ID of the service account from the console. May be null.

clientEmail - Client email address of the service account from the console.

privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.

privateKeyId - Private key identifier for the service account. May be null.

scopes - Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

transportFactory - HTTP transport factory, creates the transport used to get access tokens.

tokenServerUri - URI of the end point that provides tokens.

Returns:

New ServiceAccountCredentials created from a private key.

Throws:

IOException - if the credential cannot be created from the private key.

fromPkcs8

public static ServiceAccountCredentials fromPkcs8(String clientId,
                                                  String clientEmail,
                                                  String privateKeyPkcs8,
                                                  String privateKeyId,
                                                  Collection<String> scopes,
                                                  Collection<String> defaultScopes,
                                                  HttpTransportFactory transportFactory,
                                                  URI tokenServerUri)
                                           throws IOException

Factory with minimum identifying information and custom transport using PKCS#8 for the private key.

Parameters:

clientId - client ID of the service account from the console. May be null.

clientEmail - client email address of the service account from the console

privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.

privateKeyId - private key identifier for the service account. May be null.

scopes - scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

defaultScopes - default scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

transportFactory - HTTP transport factory, creates the transport used to get access tokens.

tokenServerUri - URI of the end point that provides tokens

Returns:

new ServiceAccountCredentials created from a private key

Throws:

IOException - if the credential cannot be created from the private key

fromPkcs8

public static ServiceAccountCredentials fromPkcs8(String clientId,
                                                  String clientEmail,
                                                  String privateKeyPkcs8,
                                                  String privateKeyId,
                                                  Collection<String> scopes,
                                                  HttpTransportFactory transportFactory,
                                                  URI tokenServerUri,
                                                  String serviceAccountUser)
                                           throws IOException

Factory with minimum identifying information and custom transport using PKCS#8 for the private key.

Parameters:

clientId - Client ID of the service account from the console. May be null.

clientEmail - Client email address of the service account from the console.

privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.

privateKeyId - Private key identifier for the service account. May be null.

scopes - Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

transportFactory - HTTP transport factory, creates the transport used to get access tokens.

tokenServerUri - URI of the end point that provides tokens.

serviceAccountUser - The email of the user account to impersonate, if delegating domain-wide authority to the service account.

Returns:

New ServiceAccountCredentials created from a private key.

Throws:

IOException - if the credential cannot be created from the private key.

fromPkcs8

public static ServiceAccountCredentials fromPkcs8(String clientId,
                                                  String clientEmail,
                                                  String privateKeyPkcs8,
                                                  String privateKeyId,
                                                  Collection<String> scopes,
                                                  Collection<String> defaultScopes,
                                                  HttpTransportFactory transportFactory,
                                                  URI tokenServerUri,
                                                  String serviceAccountUser)
                                           throws IOException

Factory with minimum identifying information and custom transport using PKCS#8 for the private key.

Parameters:

clientId - client ID of the service account from the console. May be null.

clientEmail - client email address of the service account from the console

privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.

privateKeyId - private key identifier for the service account. May be null.

scopes - scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

defaultScopes - default scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

transportFactory - HTTP transport factory, creates the transport used to get access tokens.

tokenServerUri - URI of the end point that provides tokens

serviceAccountUser - the email of the user account to impersonate, if delegating domain-wide authority to the service account.

Returns:

new ServiceAccountCredentials created from a private key

Throws:

IOException - if the credential cannot be created from the private key

fromStream

public static ServiceAccountCredentials fromStream(InputStream credentialsStream)
                                            throws IOException

Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.

Parameters:

credentialsStream - the stream with the credential definition.

Returns:

the credential defined by the credentialsStream.

Throws:

IOException - if the credential cannot be created from the stream.

fromStream

public static ServiceAccountCredentials fromStream(InputStream credentialsStream,
                                                   HttpTransportFactory transportFactory)
                                            throws IOException

Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.

Parameters:

credentialsStream - the stream with the credential definition.

transportFactory - HTTP transport factory, creates the transport used to get access tokens.

Returns:

the credential defined by the credentialsStream.

Throws:

IOException - if the credential cannot be created from the stream.

createScopedRequired

public boolean createScopedRequired()

Returns whether the scopes are empty, meaning createScoped must be called before use.

Overrides:

createScopedRequired in class GoogleCredentials

Returns:

Whether the credentials require scopes to be specified.

refreshAccessToken

public AccessToken refreshAccessToken()
                               throws IOException

Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).

Overrides:

refreshAccessToken in class OAuth2Credentials

Returns:

never

Throws:

IOException

idTokenWithAudience

public IdToken idTokenWithAudience(String targetAudience,
                                   List<IdTokenProvider.Option> options)
                            throws IOException

Returns a Google ID Token from the metadata server on ComputeEngine.

Specified by:

idTokenWithAudience in interface IdTokenProvider

Parameters:

targetAudience - the aud: field the IdToken should include.

options - list of Credential specific options for the token. Currently, unused for ServiceAccountCredentials.

Returns:

IdToken object which includes the raw id_token, expiration and audience

Throws:

IOException - if the attempt to get an IdToken failed

createWithCustomRetryStrategy

public ServiceAccountCredentials createWithCustomRetryStrategy(boolean defaultRetriesEnabled)

Clones the service account with the specified default retries.

Overrides:

createWithCustomRetryStrategy in class GoogleCredentials

Parameters:

defaultRetriesEnabled - a flag enabling or disabling default retries

Returns:

GoogleCredentials with the specified retry configuration.

createScoped

public GoogleCredentials createScoped(Collection<String> newScopes)

Clones the service account with the specified scopes.

Should be called before use for instances with empty scopes.

Overrides:

createScoped in class GoogleCredentials

Parameters:

newScopes - Collection of scopes to request.

Returns:

GoogleCredentials with requested scopes.

createScoped

public GoogleCredentials createScoped(Collection<String> newScopes,
                                      Collection<String> newDefaultScopes)

Clones the service account with the specified scopes.

Should be called before use for instances with empty scopes.

Overrides:

createScoped in class GoogleCredentials

Parameters:

newScopes - Collection of scopes to request.

newDefaultScopes - Collection of default scopes to request.

Returns:

GoogleCredentials with requested scopes.

createWithCustomLifetime

public ServiceAccountCredentials createWithCustomLifetime(int lifetime)

Clones the service account with a new lifetime value.

Parameters:

lifetime - life time value in seconds. The value should be at most 43200 (12 hours). If the token is used for calling a Google API, then the value should be at most 3600 (1 hour). If the given value is 0, then the default value 3600 will be used when creating the credentials.

Returns:

the cloned service account credentials with the given custom life time

createWithUseJwtAccessWithScope

public ServiceAccountCredentials createWithUseJwtAccessWithScope(boolean useJwtAccessWithScope)

Clones the service account with a new useJwtAccessWithScope value.

Parameters:

useJwtAccessWithScope - whether self signed JWT with scopes should be used

Returns:

the cloned service account credentials with the given useJwtAccessWithScope

createDelegated

public GoogleCredentials createDelegated(String user)

Description copied from class: GoogleCredentials

If the credentials support domain-wide delegation, creates a copy of the identity so that it impersonates the specified user; otherwise, returns the same instance.

Overrides:

createDelegated in class GoogleCredentials

Parameters:

user - User to impersonate.

Returns:

GoogleCredentials with a delegated user.

getClientId

public final String getClientId()

getClientEmail

public final String getClientEmail()

getPrivateKey

public final PrivateKey getPrivateKey()

getPrivateKeyId

public final String getPrivateKeyId()

getScopes

public final Collection<String> getScopes()

getDefaultScopes

public final Collection<String> getDefaultScopes()

getServiceAccountUser

public final String getServiceAccountUser()

getProjectId

public final String getProjectId()

getTokenServerUri

public final URI getTokenServerUri()

getUseJwtAccessWithScope

public boolean getUseJwtAccessWithScope()

getAccount

public String getAccount()

Description copied from interface: ServiceAccountSigner

Returns the service account associated with the signer.

Specified by:

getAccount in interface ServiceAccountSigner

Returns:

The service account associated with the signer.

sign

public byte[] sign(byte[] toSign)

Description copied from interface: ServiceAccountSigner

Signs the provided bytes using the private key associated with the service account.

Specified by:

sign in interface ServiceAccountSigner

Parameters:

toSign - bytes to sign

Returns:

signed bytes

jwtWithClaims

public JwtCredentials jwtWithClaims(JwtClaims newClaims)

Returns a new JwtCredentials instance with modified claims.

Specified by:

jwtWithClaims in interface JwtProvider

Parameters:

newClaims - new claims. Any unspecified claim fields will default to the the current values.

Returns:

new credentials

hashCode

public int hashCode()

Overrides:

hashCode in class OAuth2Credentials

toString

public String toString()

Overrides:

toString in class OAuth2Credentials

equals

public boolean equals(Object obj)

Overrides:

equals in class OAuth2Credentials

getRequestMetadata

public void getRequestMetadata(URI uri,
                               Executor executor,
                               RequestMetadataCallback callback)

Description copied from class: Credentials

Get the current request metadata without blocking.

This should be called by the transport layer on each request, and the data should be populated in headers or other context. The implementation can either call the callback inline or asynchronously. Either way it should never block in this method. The executor is provided for tasks that may block.

The default implementation will just call Credentials.getRequestMetadata(URI) then the callback from the given executor.

The convention for handling binary data is for the key in the returned map to end with "-bin" and for the corresponding values to be base64 encoded.

Overrides:

getRequestMetadata in class OAuth2Credentials

Parameters:

uri - URI of the entry point for the request.

executor - Executor to perform the request.

callback - Callback to execute when the request is finished.

getRequestMetadata

public Map<String,List<String>> getRequestMetadata(URI uri)
                                            throws IOException

Provide the request metadata by putting an access JWT directly in the metadata.

Overrides:

getRequestMetadata in class OAuth2Credentials

Parameters:

uri - URI of the entry point for the request.

Returns:

The request metadata used for populating headers or other context.

Throws:

IOException - if there was an error getting up-to-date access. The exception should implement Retryable and isRetryable() will return true if the operation may be retried.

newBuilder

public static ServiceAccountCredentials.Builder newBuilder()

toBuilder

public ServiceAccountCredentials.Builder toBuilder()

Overrides:

toBuilder in class GoogleCredentials