com.google.cloud.iam.credentials.v1

Class IamCredentialsClient

java.lang.Object

com.google.cloud.iam.credentials.v1.IamCredentialsClient

All Implemented Interfaces:

BackgroundResource, AutoCloseable

@Generated(value="by gapic-generator")
 @BetaApi
public class IamCredentialsClient
extends Object
implements BackgroundResource

Service Description: A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.

Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.

This class provides the ability to make remote calls to the backing service through method calls that map to API methods. Sample code to get started:

 
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   List<String> scope = new ArrayList<>();
   Duration lifetime = Duration.newBuilder().build();
   GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
 }
 
 

Note: close() needs to be called on the iamCredentialsClient object to clean up resources such as threads. In the example above, try-with-resources is used, which automatically calls close().

The surface of this class includes several types of Java methods for each of the API's methods:

1. A "flattened" method. With this type of method, the fields of the request type have been converted into function parameters. It may be the case that not all fields are available as parameters, and not every API method will have a flattened method entry point.
2. A "request object" method. This type of method only takes one parameter, a request object, which must be constructed before the call. Not every API method will have a request object method.
3. A "callable" method. This type of method takes no parameters and returns an immutable API callable object, which can be used to initiate calls to the service.

See the individual methods for example code.

Many parameters require resource names to be formatted in a particular way. To assist with these names, this class includes a format method for each type of name, and additionally a parse method to extract the individual identifiers contained within names that are returned.

This class can be customized by passing in a custom instance of IamCredentialsSettings to create(). For example:

To customize credentials:

 
 IamCredentialsSettings iamCredentialsSettings =
     IamCredentialsSettings.newBuilder()
         .setCredentialsProvider(FixedCredentialsProvider.create(myCredentials))
         .build();
 IamCredentialsClient iamCredentialsClient =
     IamCredentialsClient.create(iamCredentialsSettings);
 
 

To customize the endpoint:

 
 IamCredentialsSettings iamCredentialsSettings =
     IamCredentialsSettings.newBuilder().setEndpoint(myEndpoint).build();
 IamCredentialsClient iamCredentialsClient =
     IamCredentialsClient.create(iamCredentialsSettings);
 
 

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	IamCredentialsClient(IamCredentialsSettings settings) Constructs an instance of IamCredentialsClient, using the given settings.
protected	IamCredentialsClient(IamCredentialsStub stub)

Method Summary

Modifier and Type	Method and Description
boolean	awaitTermination(long duration, TimeUnit unit)
void	close()
static IamCredentialsClient	create() Constructs an instance of IamCredentialsClient with default settings.
static IamCredentialsClient	create(IamCredentialsSettings settings) Constructs an instance of IamCredentialsClient, using the given settings.
static IamCredentialsClient	create(IamCredentialsStub stub) Constructs an instance of IamCredentialsClient, using the given stub for making calls.
com.google.cloud.iam.credentials.v1.GenerateAccessTokenResponse	generateAccessToken(com.google.cloud.iam.credentials.v1.GenerateAccessTokenRequest request) Generates an OAuth 2.0 access token for a service account.
com.google.cloud.iam.credentials.v1.GenerateAccessTokenResponse	generateAccessToken(com.google.cloud.iam.credentials.v1.ServiceAccountName name, List<String> delegates, List<String> scope, Duration lifetime) Generates an OAuth 2.0 access token for a service account.
com.google.cloud.iam.credentials.v1.GenerateAccessTokenResponse	generateAccessToken(String name, List<String> delegates, List<String> scope, Duration lifetime) Generates an OAuth 2.0 access token for a service account.
UnaryCallable<com.google.cloud.iam.credentials.v1.GenerateAccessTokenRequest,com.google.cloud.iam.credentials.v1.GenerateAccessTokenResponse>	generateAccessTokenCallable() Generates an OAuth 2.0 access token for a service account.
com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse	generateIdentityBindingAccessToken(com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest request) Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token
com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse	generateIdentityBindingAccessToken(com.google.cloud.iam.credentials.v1.ServiceAccountName name, List<String> scope, String jwt) Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token
com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse	generateIdentityBindingAccessToken(String name, List<String> scope, String jwt) Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token
UnaryCallable<com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest,com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse>	generateIdentityBindingAccessTokenCallable() Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token
com.google.cloud.iam.credentials.v1.GenerateIdTokenResponse	generateIdToken(com.google.cloud.iam.credentials.v1.GenerateIdTokenRequest request) Generates an OpenID Connect ID token for a service account.
com.google.cloud.iam.credentials.v1.GenerateIdTokenResponse	generateIdToken(com.google.cloud.iam.credentials.v1.ServiceAccountName name, List<String> delegates, String audience, boolean includeEmail) Generates an OpenID Connect ID token for a service account.
com.google.cloud.iam.credentials.v1.GenerateIdTokenResponse	generateIdToken(String name, List<String> delegates, String audience, boolean includeEmail) Generates an OpenID Connect ID token for a service account.
UnaryCallable<com.google.cloud.iam.credentials.v1.GenerateIdTokenRequest,com.google.cloud.iam.credentials.v1.GenerateIdTokenResponse>	generateIdTokenCallable() Generates an OpenID Connect ID token for a service account.
IamCredentialsSettings	getSettings()
IamCredentialsStub	getStub()
boolean	isShutdown()
boolean	isTerminated()
void	shutdown()
void	shutdownNow()
com.google.cloud.iam.credentials.v1.SignBlobResponse	signBlob(com.google.cloud.iam.credentials.v1.ServiceAccountName name, List<String> delegates, ByteString payload) Signs a blob using a service account's system-managed private key.
com.google.cloud.iam.credentials.v1.SignBlobResponse	signBlob(com.google.cloud.iam.credentials.v1.SignBlobRequest request) Signs a blob using a service account's system-managed private key.
com.google.cloud.iam.credentials.v1.SignBlobResponse	signBlob(String name, List<String> delegates, ByteString payload) Signs a blob using a service account's system-managed private key.
UnaryCallable<com.google.cloud.iam.credentials.v1.SignBlobRequest,com.google.cloud.iam.credentials.v1.SignBlobResponse>	signBlobCallable() Signs a blob using a service account's system-managed private key.
com.google.cloud.iam.credentials.v1.SignJwtResponse	signJwt(com.google.cloud.iam.credentials.v1.ServiceAccountName name, List<String> delegates, String payload) Signs a JWT using a service account's system-managed private key.
com.google.cloud.iam.credentials.v1.SignJwtResponse	signJwt(com.google.cloud.iam.credentials.v1.SignJwtRequest request) Signs a JWT using a service account's system-managed private key.
com.google.cloud.iam.credentials.v1.SignJwtResponse	signJwt(String name, List<String> delegates, String payload) Signs a JWT using a service account's system-managed private key.
UnaryCallable<com.google.cloud.iam.credentials.v1.SignJwtRequest,com.google.cloud.iam.credentials.v1.SignJwtResponse>	signJwtCallable() Signs a JWT using a service account's system-managed private key.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

IamCredentialsClient

protected IamCredentialsClient(IamCredentialsSettings settings)
                        throws IOException

Constructs an instance of IamCredentialsClient, using the given settings. This is protected so that it is easy to make a subclass, but otherwise, the static factory methods should be preferred.

Throws:

IOException

IamCredentialsClient

@BetaApi(value="A restructuring of stub classes is planned, so this may break in the future")
protected IamCredentialsClient(IamCredentialsStub stub)

Method Detail

create

public static final IamCredentialsClient create()
                                         throws IOException

Constructs an instance of IamCredentialsClient with default settings.

Throws:

IOException

create

public static final IamCredentialsClient create(IamCredentialsSettings settings)
                                         throws IOException

Constructs an instance of IamCredentialsClient, using the given settings. The channels are created based on the settings passed in, or defaults for any settings that are not set.

Throws:

IOException

create

@BetaApi(value="A restructuring of stub classes is planned, so this may break in the future")
public static final IamCredentialsClient create(IamCredentialsStub stub)

Constructs an instance of IamCredentialsClient, using the given stub for making calls. This is for advanced usage - prefer to use IamCredentialsSettings}.

getSettings

public final IamCredentialsSettings getSettings()

getStub

@BetaApi(value="A restructuring of stub classes is planned, so this may break in the future")
public IamCredentialsStub getStub()

generateAccessToken

public final com.google.cloud.iam.credentials.v1.GenerateAccessTokenResponse generateAccessToken(com.google.cloud.iam.credentials.v1.ServiceAccountName name,
                                                                                                 List<String> delegates,
                                                                                                 List<String> scope,
                                                                                                 Duration lifetime)

Generates an OAuth 2.0 access token for a service account.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   List<String> scope = new ArrayList<>();
   Duration lifetime = Duration.newBuilder().build();
   GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
 }
 

Parameters:

name - The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`

scope - Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.

lifetime - The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.

Throws:

ApiException - if the remote call fails

generateAccessToken

public final com.google.cloud.iam.credentials.v1.GenerateAccessTokenResponse generateAccessToken(String name,
                                                                                                 List<String> delegates,
                                                                                                 List<String> scope,
                                                                                                 Duration lifetime)

Generates an OAuth 2.0 access token for a service account.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   List<String> scope = new ArrayList<>();
   Duration lifetime = Duration.newBuilder().build();
   GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(name.toString(), delegates, scope, lifetime);
 }
 

Parameters:

name - The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`

scope - Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.

lifetime - The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.

Throws:

ApiException - if the remote call fails

generateAccessToken

public final com.google.cloud.iam.credentials.v1.GenerateAccessTokenResponse generateAccessToken(com.google.cloud.iam.credentials.v1.GenerateAccessTokenRequest request)

Generates an OAuth 2.0 access token for a service account.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> scope = new ArrayList<>();
   GenerateAccessTokenRequest request = GenerateAccessTokenRequest.newBuilder()
     .setName(name.toString())
     .addAllScope(scope)
     .build();
   GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(request);
 }
 

Parameters:

request - The request object containing all of the parameters for the API call.

Throws:

ApiException - if the remote call fails

generateAccessTokenCallable

public final UnaryCallable<com.google.cloud.iam.credentials.v1.GenerateAccessTokenRequest,com.google.cloud.iam.credentials.v1.GenerateAccessTokenResponse> generateAccessTokenCallable()

Generates an OAuth 2.0 access token for a service account.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> scope = new ArrayList<>();
   GenerateAccessTokenRequest request = GenerateAccessTokenRequest.newBuilder()
     .setName(name.toString())
     .addAllScope(scope)
     .build();
   ApiFuture<GenerateAccessTokenResponse> future = iamCredentialsClient.generateAccessTokenCallable().futureCall(request);
   // Do something
   GenerateAccessTokenResponse response = future.get();
 }
 

generateIdToken

public final com.google.cloud.iam.credentials.v1.GenerateIdTokenResponse generateIdToken(com.google.cloud.iam.credentials.v1.ServiceAccountName name,
                                                                                         List<String> delegates,
                                                                                         String audience,
                                                                                         boolean includeEmail)

Generates an OpenID Connect ID token for a service account.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   String audience = "";
   boolean includeEmail = false;
   GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(name, delegates, audience, includeEmail);
 }
 

Parameters:

name - The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`

audience - The audience for the token, such as the API or account that this token grants access to.

includeEmail - Include the service account email in the token. If set to `true`, the token will contain `email` and `email_verified` claims.

Throws:

ApiException - if the remote call fails

generateIdToken

public final com.google.cloud.iam.credentials.v1.GenerateIdTokenResponse generateIdToken(String name,
                                                                                         List<String> delegates,
                                                                                         String audience,
                                                                                         boolean includeEmail)

Generates an OpenID Connect ID token for a service account.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   String audience = "";
   boolean includeEmail = false;
   GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(name.toString(), delegates, audience, includeEmail);
 }
 

Parameters:

name - The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`

audience - The audience for the token, such as the API or account that this token grants access to.

includeEmail - Include the service account email in the token. If set to `true`, the token will contain `email` and `email_verified` claims.

Throws:

ApiException - if the remote call fails

generateIdToken

public final com.google.cloud.iam.credentials.v1.GenerateIdTokenResponse generateIdToken(com.google.cloud.iam.credentials.v1.GenerateIdTokenRequest request)

Generates an OpenID Connect ID token for a service account.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   String audience = "";
   GenerateIdTokenRequest request = GenerateIdTokenRequest.newBuilder()
     .setName(name.toString())
     .setAudience(audience)
     .build();
   GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(request);
 }
 

Parameters:

request - The request object containing all of the parameters for the API call.

Throws:

ApiException - if the remote call fails

generateIdTokenCallable

public final UnaryCallable<com.google.cloud.iam.credentials.v1.GenerateIdTokenRequest,com.google.cloud.iam.credentials.v1.GenerateIdTokenResponse> generateIdTokenCallable()

Generates an OpenID Connect ID token for a service account.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   String audience = "";
   GenerateIdTokenRequest request = GenerateIdTokenRequest.newBuilder()
     .setName(name.toString())
     .setAudience(audience)
     .build();
   ApiFuture<GenerateIdTokenResponse> future = iamCredentialsClient.generateIdTokenCallable().futureCall(request);
   // Do something
   GenerateIdTokenResponse response = future.get();
 }
 

signBlob

public final com.google.cloud.iam.credentials.v1.SignBlobResponse signBlob(com.google.cloud.iam.credentials.v1.ServiceAccountName name,
                                                                           List<String> delegates,
                                                                           ByteString payload)

Signs a blob using a service account's system-managed private key.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   ByteString payload = ByteString.copyFromUtf8("");
   SignBlobResponse response = iamCredentialsClient.signBlob(name, delegates, payload);
 }
 

Parameters:

name - The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`

payload - The bytes to sign.

Throws:

ApiException - if the remote call fails

signBlob

public final com.google.cloud.iam.credentials.v1.SignBlobResponse signBlob(String name,
                                                                           List<String> delegates,
                                                                           ByteString payload)

Signs a blob using a service account's system-managed private key.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   ByteString payload = ByteString.copyFromUtf8("");
   SignBlobResponse response = iamCredentialsClient.signBlob(name.toString(), delegates, payload);
 }
 

Parameters:

name - The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`

payload - The bytes to sign.

Throws:

ApiException - if the remote call fails

signBlob

public final com.google.cloud.iam.credentials.v1.SignBlobResponse signBlob(com.google.cloud.iam.credentials.v1.SignBlobRequest request)

Signs a blob using a service account's system-managed private key.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   ByteString payload = ByteString.copyFromUtf8("");
   SignBlobRequest request = SignBlobRequest.newBuilder()
     .setName(name.toString())
     .setPayload(payload)
     .build();
   SignBlobResponse response = iamCredentialsClient.signBlob(request);
 }
 

Parameters:

request - The request object containing all of the parameters for the API call.

Throws:

ApiException - if the remote call fails

signBlobCallable

public final UnaryCallable<com.google.cloud.iam.credentials.v1.SignBlobRequest,com.google.cloud.iam.credentials.v1.SignBlobResponse> signBlobCallable()

Signs a blob using a service account's system-managed private key.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   ByteString payload = ByteString.copyFromUtf8("");
   SignBlobRequest request = SignBlobRequest.newBuilder()
     .setName(name.toString())
     .setPayload(payload)
     .build();
   ApiFuture<SignBlobResponse> future = iamCredentialsClient.signBlobCallable().futureCall(request);
   // Do something
   SignBlobResponse response = future.get();
 }
 

signJwt

public final com.google.cloud.iam.credentials.v1.SignJwtResponse signJwt(com.google.cloud.iam.credentials.v1.ServiceAccountName name,
                                                                         List<String> delegates,
                                                                         String payload)

Signs a JWT using a service account's system-managed private key.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   String payload = "";
   SignJwtResponse response = iamCredentialsClient.signJwt(name, delegates, payload);
 }
 

Parameters:

name - The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`

payload - The JWT payload to sign: a JSON object that contains a JWT Claims Set.

Throws:

ApiException - if the remote call fails

signJwt

public final com.google.cloud.iam.credentials.v1.SignJwtResponse signJwt(String name,
                                                                         List<String> delegates,
                                                                         String payload)

Signs a JWT using a service account's system-managed private key.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   String payload = "";
   SignJwtResponse response = iamCredentialsClient.signJwt(name.toString(), delegates, payload);
 }
 

Parameters:

name - The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`

payload - The JWT payload to sign: a JSON object that contains a JWT Claims Set.

Throws:

ApiException - if the remote call fails

signJwt

public final com.google.cloud.iam.credentials.v1.SignJwtResponse signJwt(com.google.cloud.iam.credentials.v1.SignJwtRequest request)

Signs a JWT using a service account's system-managed private key.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   String payload = "";
   SignJwtRequest request = SignJwtRequest.newBuilder()
     .setName(name.toString())
     .setPayload(payload)
     .build();
   SignJwtResponse response = iamCredentialsClient.signJwt(request);
 }
 

Parameters:

request - The request object containing all of the parameters for the API call.

Throws:

ApiException - if the remote call fails

signJwtCallable

public final UnaryCallable<com.google.cloud.iam.credentials.v1.SignJwtRequest,com.google.cloud.iam.credentials.v1.SignJwtResponse> signJwtCallable()

Signs a JWT using a service account's system-managed private key.

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   String payload = "";
   SignJwtRequest request = SignJwtRequest.newBuilder()
     .setName(name.toString())
     .setPayload(payload)
     .build();
   ApiFuture<SignJwtResponse> future = iamCredentialsClient.signJwtCallable().futureCall(request);
   // Do something
   SignJwtResponse response = future.get();
 }
 

generateIdentityBindingAccessToken

public final com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse generateIdentityBindingAccessToken(com.google.cloud.iam.credentials.v1.ServiceAccountName name,
                                                                                                                               List<String> scope,
                                                                                                                               String jwt)

Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> scope = new ArrayList<>();
   String jwt = "";
   GenerateIdentityBindingAccessTokenResponse response = iamCredentialsClient.generateIdentityBindingAccessToken(name, scope, jwt);
 }
 

Parameters:

name - The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.

scope - Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.

jwt - Required. Input token. Must be in JWT format according to RFC7523 (https://tools.ietf.org/html/rfc7523) and must have 'kid' field in the header. Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon). Mandatory payload fields (along the lines of RFC 7523, section 3): - iss: issuer of the token. Must provide a discovery document at $iss/.well-known/openid-configuration . The document needs to be formatted according to section 4.2 of the OpenID Connect Discovery 1.0 specification. - iat: Issue time in seconds since epoch. Must be in the past. - exp: Expiration time in seconds since epoch. Must be less than 48 hours after iat. We recommend to create tokens that last shorter than 6 hours to improve security unless business reasons mandate longer expiration times. Shorter token lifetimes are generally more secure since tokens that have been exfiltrated by attackers can be used for a shorter time. you can configure the maximum lifetime of the incoming token in the configuration of the mapper. The resulting Google token will expire within an hour or at "exp", whichever is earlier. - sub: JWT subject, identity asserted in the JWT. - aud: Configured in the mapper policy. By default the service account email.

Claims from the incoming token can be transferred into the output token accoding to the mapper configuration. The outgoing claim size is limited. Outgoing claims size must be less than 4kB serialized as JSON without whitespace.

Example header: { "alg": "RS256", "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8" } Example payload: { "iss": "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud": "https://iamcredentials.googleapis.com/", "sub": "113475438248934895348", "my_claims": { "additional_claim": "value" } }

Throws:

ApiException - if the remote call fails

generateIdentityBindingAccessToken

public final com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse generateIdentityBindingAccessToken(String name,
                                                                                                                               List<String> scope,
                                                                                                                               String jwt)

Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> scope = new ArrayList<>();
   String jwt = "";
   GenerateIdentityBindingAccessTokenResponse response = iamCredentialsClient.generateIdentityBindingAccessToken(name.toString(), scope, jwt);
 }
 

Parameters:

name - The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.

scope - Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.

jwt - Required. Input token. Must be in JWT format according to RFC7523 (https://tools.ietf.org/html/rfc7523) and must have 'kid' field in the header. Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon). Mandatory payload fields (along the lines of RFC 7523, section 3): - iss: issuer of the token. Must provide a discovery document at $iss/.well-known/openid-configuration . The document needs to be formatted according to section 4.2 of the OpenID Connect Discovery 1.0 specification. - iat: Issue time in seconds since epoch. Must be in the past. - exp: Expiration time in seconds since epoch. Must be less than 48 hours after iat. We recommend to create tokens that last shorter than 6 hours to improve security unless business reasons mandate longer expiration times. Shorter token lifetimes are generally more secure since tokens that have been exfiltrated by attackers can be used for a shorter time. you can configure the maximum lifetime of the incoming token in the configuration of the mapper. The resulting Google token will expire within an hour or at "exp", whichever is earlier. - sub: JWT subject, identity asserted in the JWT. - aud: Configured in the mapper policy. By default the service account email.

Claims from the incoming token can be transferred into the output token accoding to the mapper configuration. The outgoing claim size is limited. Outgoing claims size must be less than 4kB serialized as JSON without whitespace.

Example header: { "alg": "RS256", "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8" } Example payload: { "iss": "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud": "https://iamcredentials.googleapis.com/", "sub": "113475438248934895348", "my_claims": { "additional_claim": "value" } }

Throws:

ApiException - if the remote call fails

generateIdentityBindingAccessToken

public final com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse generateIdentityBindingAccessToken(com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest request)

Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> scope = new ArrayList<>();
   String jwt = "";
   GenerateIdentityBindingAccessTokenRequest request = GenerateIdentityBindingAccessTokenRequest.newBuilder()
     .setName(name.toString())
     .addAllScope(scope)
     .setJwt(jwt)
     .build();
   GenerateIdentityBindingAccessTokenResponse response = iamCredentialsClient.generateIdentityBindingAccessToken(request);
 }
 

Parameters:

request - The request object containing all of the parameters for the API call.

Throws:

ApiException - if the remote call fails

generateIdentityBindingAccessTokenCallable

public final UnaryCallable<com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest,com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse> generateIdentityBindingAccessTokenCallable()

Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token

Sample code:

 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> scope = new ArrayList<>();
   String jwt = "";
   GenerateIdentityBindingAccessTokenRequest request = GenerateIdentityBindingAccessTokenRequest.newBuilder()
     .setName(name.toString())
     .addAllScope(scope)
     .setJwt(jwt)
     .build();
   ApiFuture<GenerateIdentityBindingAccessTokenResponse> future = iamCredentialsClient.generateIdentityBindingAccessTokenCallable().futureCall(request);
   // Do something
   GenerateIdentityBindingAccessTokenResponse response = future.get();
 }
 

close

public final void close()

Specified by:

close in interface AutoCloseable

shutdown

public void shutdown()

Specified by:

shutdown in interface BackgroundResource

isShutdown

public boolean isShutdown()

Specified by:

isShutdown in interface BackgroundResource

isTerminated

public boolean isTerminated()

Specified by:

isTerminated in interface BackgroundResource

shutdownNow

public void shutdownNow()

Specified by:

shutdownNow in interface BackgroundResource

awaitTermination

public boolean awaitTermination(long duration,
                                TimeUnit unit)
                         throws InterruptedException

Specified by:

awaitTermination in interface BackgroundResource

Throws:

InterruptedException