@Generated(value="by gapic-generator") @BetaApi public class IamCredentialsClient extends Object implements com.google.api.gax.core.BackgroundResource
Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.
This class provides the ability to make remote calls to the backing service through method calls that map to API methods. Sample code to get started:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
List<String> scope = new ArrayList<>();
Duration lifetime = Duration.newBuilder().build();
GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
}
Note: close() needs to be called on the iamCredentialsClient object to clean up resources such as threads. In the example above, try-with-resources is used, which automatically calls close().
The surface of this class includes several types of Java methods for each of the API's methods:
See the individual methods for example code.
Many parameters require resource names to be formatted in a particular way. To assist with these names, this class includes a format method for each type of name, and additionally a parse method to extract the individual identifiers contained within names that are returned.
This class can be customized by passing in a custom instance of IamCredentialsSettings to create(). For example:
To customize credentials:
IamCredentialsSettings iamCredentialsSettings =
IamCredentialsSettings.newBuilder()
.setCredentialsProvider(FixedCredentialsProvider.create(myCredentials))
.build();
IamCredentialsClient iamCredentialsClient =
IamCredentialsClient.create(iamCredentialsSettings);
To customize the endpoint:
IamCredentialsSettings iamCredentialsSettings =
IamCredentialsSettings.newBuilder().setEndpoint(myEndpoint).build();
IamCredentialsClient iamCredentialsClient =
IamCredentialsClient.create(iamCredentialsSettings);
Modifier | Constructor and Description |
---|---|
protected |
IamCredentialsClient(IamCredentialsSettings settings)
Constructs an instance of IamCredentialsClient, using the given settings.
|
protected |
IamCredentialsClient(IamCredentialsStub stub) |
Modifier and Type | Method and Description |
---|---|
boolean |
awaitTermination(long duration,
TimeUnit unit) |
void |
close() |
static IamCredentialsClient |
create()
Constructs an instance of IamCredentialsClient with default settings.
|
static IamCredentialsClient |
create(IamCredentialsSettings settings)
Constructs an instance of IamCredentialsClient, using the given settings.
|
static IamCredentialsClient |
create(IamCredentialsStub stub)
Constructs an instance of IamCredentialsClient, using the given stub for making calls.
|
GenerateAccessTokenResponse |
generateAccessToken(GenerateAccessTokenRequest request)
Generates an OAuth 2.0 access token for a service account.
|
GenerateAccessTokenResponse |
generateAccessToken(ServiceAccountName name,
List<String> delegates,
List<String> scope,
Duration lifetime)
Generates an OAuth 2.0 access token for a service account.
|
GenerateAccessTokenResponse |
generateAccessToken(String name,
List<String> delegates,
List<String> scope,
Duration lifetime)
Generates an OAuth 2.0 access token for a service account.
|
com.google.api.gax.rpc.UnaryCallable<GenerateAccessTokenRequest,GenerateAccessTokenResponse> |
generateAccessTokenCallable()
Generates an OAuth 2.0 access token for a service account.
|
GenerateIdTokenResponse |
generateIdToken(GenerateIdTokenRequest request)
Generates an OpenID Connect ID token for a service account.
|
GenerateIdTokenResponse |
generateIdToken(ServiceAccountName name,
List<String> delegates,
String audience,
boolean includeEmail)
Generates an OpenID Connect ID token for a service account.
|
GenerateIdTokenResponse |
generateIdToken(String name,
List<String> delegates,
String audience,
boolean includeEmail)
Generates an OpenID Connect ID token for a service account.
|
com.google.api.gax.rpc.UnaryCallable<GenerateIdTokenRequest,GenerateIdTokenResponse> |
generateIdTokenCallable()
Generates an OpenID Connect ID token for a service account.
|
IamCredentialsSettings |
getSettings() |
IamCredentialsStub |
getStub() |
boolean |
isShutdown() |
boolean |
isTerminated() |
void |
shutdown() |
void |
shutdownNow() |
SignBlobResponse |
signBlob(ServiceAccountName name,
List<String> delegates,
ByteString payload)
Signs a blob using a service account's system-managed private key.
|
SignBlobResponse |
signBlob(SignBlobRequest request)
Signs a blob using a service account's system-managed private key.
|
SignBlobResponse |
signBlob(String name,
List<String> delegates,
ByteString payload)
Signs a blob using a service account's system-managed private key.
|
com.google.api.gax.rpc.UnaryCallable<SignBlobRequest,SignBlobResponse> |
signBlobCallable()
Signs a blob using a service account's system-managed private key.
|
SignJwtResponse |
signJwt(ServiceAccountName name,
List<String> delegates,
String payload)
Signs a JWT using a service account's system-managed private key.
|
SignJwtResponse |
signJwt(SignJwtRequest request)
Signs a JWT using a service account's system-managed private key.
|
SignJwtResponse |
signJwt(String name,
List<String> delegates,
String payload)
Signs a JWT using a service account's system-managed private key.
|
com.google.api.gax.rpc.UnaryCallable<SignJwtRequest,SignJwtResponse> |
signJwtCallable()
Signs a JWT using a service account's system-managed private key.
|
protected IamCredentialsClient(IamCredentialsSettings settings) throws IOException
IOException
@BetaApi(value="A restructuring of stub classes is planned, so this may break in the future") protected IamCredentialsClient(IamCredentialsStub stub)
public static final IamCredentialsClient create() throws IOException
IOException
public static final IamCredentialsClient create(IamCredentialsSettings settings) throws IOException
IOException
@BetaApi(value="A restructuring of stub classes is planned, so this may break in the future") public static final IamCredentialsClient create(IamCredentialsStub stub)
public final IamCredentialsSettings getSettings()
@BetaApi(value="A restructuring of stub classes is planned, so this may break in the future") public IamCredentialsStub getStub()
public final GenerateAccessTokenResponse generateAccessToken(ServiceAccountName name, List<String> delegates, List<String> scope, Duration lifetime)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
List<String> scope = new ArrayList<>();
Duration lifetime = Duration.newBuilder().build();
GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
scope
- Code to identify the scopes to be included in the OAuth 2.0 access token. See
https://developers.google.com/identity/protocols/googlescopes for more information. At
least one value required.lifetime
- The desired lifetime duration of the access token in seconds. Must be set to a
value less than or equal to 3600 (1 hour). If a value is not specified, the token's
lifetime will be set to a default value of one hour.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final GenerateAccessTokenResponse generateAccessToken(String name, List<String> delegates, List<String> scope, Duration lifetime)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
List<String> scope = new ArrayList<>();
Duration lifetime = Duration.newBuilder().build();
GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(name.toString(), delegates, scope, lifetime);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
scope
- Code to identify the scopes to be included in the OAuth 2.0 access token. See
https://developers.google.com/identity/protocols/googlescopes for more information. At
least one value required.lifetime
- The desired lifetime duration of the access token in seconds. Must be set to a
value less than or equal to 3600 (1 hour). If a value is not specified, the token's
lifetime will be set to a default value of one hour.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final GenerateAccessTokenResponse generateAccessToken(GenerateAccessTokenRequest request)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> scope = new ArrayList<>();
GenerateAccessTokenRequest request = GenerateAccessTokenRequest.newBuilder()
.setName(name.toString())
.addAllScope(scope)
.build();
GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(request);
}
request
- The request object containing all of the parameters for the API call.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final com.google.api.gax.rpc.UnaryCallable<GenerateAccessTokenRequest,GenerateAccessTokenResponse> generateAccessTokenCallable()
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> scope = new ArrayList<>();
GenerateAccessTokenRequest request = GenerateAccessTokenRequest.newBuilder()
.setName(name.toString())
.addAllScope(scope)
.build();
ApiFuture<GenerateAccessTokenResponse> future = iamCredentialsClient.generateAccessTokenCallable().futureCall(request);
// Do something
GenerateAccessTokenResponse response = future.get();
}
public final GenerateIdTokenResponse generateIdToken(ServiceAccountName name, List<String> delegates, String audience, boolean includeEmail)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
String audience = "";
boolean includeEmail = false;
GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(name, delegates, audience, includeEmail);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
audience
- The audience for the token, such as the API or account that this token grants
access to.includeEmail
- Include the service account email in the token. If set to `true`, the token
will contain `email` and `email_verified` claims.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final GenerateIdTokenResponse generateIdToken(String name, List<String> delegates, String audience, boolean includeEmail)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
String audience = "";
boolean includeEmail = false;
GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(name.toString(), delegates, audience, includeEmail);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
audience
- The audience for the token, such as the API or account that this token grants
access to.includeEmail
- Include the service account email in the token. If set to `true`, the token
will contain `email` and `email_verified` claims.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final GenerateIdTokenResponse generateIdToken(GenerateIdTokenRequest request)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
String audience = "";
GenerateIdTokenRequest request = GenerateIdTokenRequest.newBuilder()
.setName(name.toString())
.setAudience(audience)
.build();
GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(request);
}
request
- The request object containing all of the parameters for the API call.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final com.google.api.gax.rpc.UnaryCallable<GenerateIdTokenRequest,GenerateIdTokenResponse> generateIdTokenCallable()
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
String audience = "";
GenerateIdTokenRequest request = GenerateIdTokenRequest.newBuilder()
.setName(name.toString())
.setAudience(audience)
.build();
ApiFuture<GenerateIdTokenResponse> future = iamCredentialsClient.generateIdTokenCallable().futureCall(request);
// Do something
GenerateIdTokenResponse response = future.get();
}
public final SignBlobResponse signBlob(ServiceAccountName name, List<String> delegates, ByteString payload)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
ByteString payload = ByteString.copyFromUtf8("");
SignBlobResponse response = iamCredentialsClient.signBlob(name, delegates, payload);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
payload
- The bytes to sign.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final SignBlobResponse signBlob(String name, List<String> delegates, ByteString payload)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
ByteString payload = ByteString.copyFromUtf8("");
SignBlobResponse response = iamCredentialsClient.signBlob(name.toString(), delegates, payload);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
payload
- The bytes to sign.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final SignBlobResponse signBlob(SignBlobRequest request)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
ByteString payload = ByteString.copyFromUtf8("");
SignBlobRequest request = SignBlobRequest.newBuilder()
.setName(name.toString())
.setPayload(payload)
.build();
SignBlobResponse response = iamCredentialsClient.signBlob(request);
}
request
- The request object containing all of the parameters for the API call.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final com.google.api.gax.rpc.UnaryCallable<SignBlobRequest,SignBlobResponse> signBlobCallable()
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
ByteString payload = ByteString.copyFromUtf8("");
SignBlobRequest request = SignBlobRequest.newBuilder()
.setName(name.toString())
.setPayload(payload)
.build();
ApiFuture<SignBlobResponse> future = iamCredentialsClient.signBlobCallable().futureCall(request);
// Do something
SignBlobResponse response = future.get();
}
public final SignJwtResponse signJwt(ServiceAccountName name, List<String> delegates, String payload)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
String payload = "";
SignJwtResponse response = iamCredentialsClient.signJwt(name, delegates, payload);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
payload
- The JWT payload to sign: a JSON object that contains a JWT Claims Set.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final SignJwtResponse signJwt(String name, List<String> delegates, String payload)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
String payload = "";
SignJwtResponse response = iamCredentialsClient.signJwt(name.toString(), delegates, payload);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
payload
- The JWT payload to sign: a JSON object that contains a JWT Claims Set.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final SignJwtResponse signJwt(SignJwtRequest request)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
String payload = "";
SignJwtRequest request = SignJwtRequest.newBuilder()
.setName(name.toString())
.setPayload(payload)
.build();
SignJwtResponse response = iamCredentialsClient.signJwt(request);
}
request
- The request object containing all of the parameters for the API call.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final com.google.api.gax.rpc.UnaryCallable<SignJwtRequest,SignJwtResponse> signJwtCallable()
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
String payload = "";
SignJwtRequest request = SignJwtRequest.newBuilder()
.setName(name.toString())
.setPayload(payload)
.build();
ApiFuture<SignJwtResponse> future = iamCredentialsClient.signJwtCallable().futureCall(request);
// Do something
SignJwtResponse response = future.get();
}
public final void close()
close
in interface AutoCloseable
public void shutdown()
shutdown
in interface com.google.api.gax.core.BackgroundResource
public boolean isShutdown()
isShutdown
in interface com.google.api.gax.core.BackgroundResource
public boolean isTerminated()
isTerminated
in interface com.google.api.gax.core.BackgroundResource
public void shutdownNow()
shutdownNow
in interface com.google.api.gax.core.BackgroundResource
public boolean awaitTermination(long duration, TimeUnit unit) throws InterruptedException
awaitTermination
in interface com.google.api.gax.core.BackgroundResource
InterruptedException
Copyright © 2019 Google LLC. All rights reserved.