@Generated(value="by gapic-generator") @BetaApi public class IamCredentialsClient extends Object implements com.google.api.gax.core.BackgroundResource
Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.
This class provides the ability to make remote calls to the backing service through method calls that map to API methods. Sample code to get started:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
List<String> scope = new ArrayList<>();
Duration lifetime = Duration.newBuilder().build();
GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
}
Note: close() needs to be called on the iamCredentialsClient object to clean up resources such as threads. In the example above, try-with-resources is used, which automatically calls close().
The surface of this class includes several types of Java methods for each of the API's methods:
See the individual methods for example code.
Many parameters require resource names to be formatted in a particular way. To assist with these names, this class includes a format method for each type of name, and additionally a parse method to extract the individual identifiers contained within names that are returned.
This class can be customized by passing in a custom instance of IamCredentialsSettings to create(). For example:
To customize credentials:
IamCredentialsSettings iamCredentialsSettings =
IamCredentialsSettings.newBuilder()
.setCredentialsProvider(FixedCredentialsProvider.create(myCredentials))
.build();
IamCredentialsClient iamCredentialsClient =
IamCredentialsClient.create(iamCredentialsSettings);
To customize the endpoint:
IamCredentialsSettings iamCredentialsSettings =
IamCredentialsSettings.newBuilder().setEndpoint(myEndpoint).build();
IamCredentialsClient iamCredentialsClient =
IamCredentialsClient.create(iamCredentialsSettings);
Modifier | Constructor and Description |
---|---|
protected |
IamCredentialsClient(IamCredentialsSettings settings)
Constructs an instance of IamCredentialsClient, using the given settings.
|
protected |
IamCredentialsClient(IamCredentialsStub stub) |
Modifier and Type | Method and Description |
---|---|
boolean |
awaitTermination(long duration,
TimeUnit unit) |
void |
close() |
static IamCredentialsClient |
create()
Constructs an instance of IamCredentialsClient with default settings.
|
static IamCredentialsClient |
create(IamCredentialsSettings settings)
Constructs an instance of IamCredentialsClient, using the given settings.
|
static IamCredentialsClient |
create(IamCredentialsStub stub)
Constructs an instance of IamCredentialsClient, using the given stub for making calls.
|
GenerateAccessTokenResponse |
generateAccessToken(GenerateAccessTokenRequest request)
Generates an OAuth 2.0 access token for a service account.
|
GenerateAccessTokenResponse |
generateAccessToken(ServiceAccountName name,
List<String> delegates,
List<String> scope,
Duration lifetime)
Generates an OAuth 2.0 access token for a service account.
|
GenerateAccessTokenResponse |
generateAccessToken(String name,
List<String> delegates,
List<String> scope,
Duration lifetime)
Generates an OAuth 2.0 access token for a service account.
|
com.google.api.gax.rpc.UnaryCallable<GenerateAccessTokenRequest,GenerateAccessTokenResponse> |
generateAccessTokenCallable()
Generates an OAuth 2.0 access token for a service account.
|
GenerateIdentityBindingAccessTokenResponse |
generateIdentityBindingAccessToken(GenerateIdentityBindingAccessTokenRequest request)
Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token
|
GenerateIdentityBindingAccessTokenResponse |
generateIdentityBindingAccessToken(ServiceAccountName name,
List<String> scope,
String jwt)
Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token
|
GenerateIdentityBindingAccessTokenResponse |
generateIdentityBindingAccessToken(String name,
List<String> scope,
String jwt)
Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token
|
com.google.api.gax.rpc.UnaryCallable<GenerateIdentityBindingAccessTokenRequest,GenerateIdentityBindingAccessTokenResponse> |
generateIdentityBindingAccessTokenCallable()
Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token
|
GenerateIdTokenResponse |
generateIdToken(GenerateIdTokenRequest request)
Generates an OpenID Connect ID token for a service account.
|
GenerateIdTokenResponse |
generateIdToken(ServiceAccountName name,
List<String> delegates,
String audience,
boolean includeEmail)
Generates an OpenID Connect ID token for a service account.
|
GenerateIdTokenResponse |
generateIdToken(String name,
List<String> delegates,
String audience,
boolean includeEmail)
Generates an OpenID Connect ID token for a service account.
|
com.google.api.gax.rpc.UnaryCallable<GenerateIdTokenRequest,GenerateIdTokenResponse> |
generateIdTokenCallable()
Generates an OpenID Connect ID token for a service account.
|
IamCredentialsSettings |
getSettings() |
IamCredentialsStub |
getStub() |
boolean |
isShutdown() |
boolean |
isTerminated() |
void |
shutdown() |
void |
shutdownNow() |
SignBlobResponse |
signBlob(ServiceAccountName name,
List<String> delegates,
ByteString payload)
Signs a blob using a service account's system-managed private key.
|
SignBlobResponse |
signBlob(SignBlobRequest request)
Signs a blob using a service account's system-managed private key.
|
SignBlobResponse |
signBlob(String name,
List<String> delegates,
ByteString payload)
Signs a blob using a service account's system-managed private key.
|
com.google.api.gax.rpc.UnaryCallable<SignBlobRequest,SignBlobResponse> |
signBlobCallable()
Signs a blob using a service account's system-managed private key.
|
SignJwtResponse |
signJwt(ServiceAccountName name,
List<String> delegates,
String payload)
Signs a JWT using a service account's system-managed private key.
|
SignJwtResponse |
signJwt(SignJwtRequest request)
Signs a JWT using a service account's system-managed private key.
|
SignJwtResponse |
signJwt(String name,
List<String> delegates,
String payload)
Signs a JWT using a service account's system-managed private key.
|
com.google.api.gax.rpc.UnaryCallable<SignJwtRequest,SignJwtResponse> |
signJwtCallable()
Signs a JWT using a service account's system-managed private key.
|
protected IamCredentialsClient(IamCredentialsSettings settings) throws IOException
IOException
@BetaApi(value="A restructuring of stub classes is planned, so this may break in the future") protected IamCredentialsClient(IamCredentialsStub stub)
public static final IamCredentialsClient create() throws IOException
IOException
public static final IamCredentialsClient create(IamCredentialsSettings settings) throws IOException
IOException
@BetaApi(value="A restructuring of stub classes is planned, so this may break in the future") public static final IamCredentialsClient create(IamCredentialsStub stub)
public final IamCredentialsSettings getSettings()
@BetaApi(value="A restructuring of stub classes is planned, so this may break in the future") public IamCredentialsStub getStub()
public final GenerateAccessTokenResponse generateAccessToken(ServiceAccountName name, List<String> delegates, List<String> scope, Duration lifetime)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
List<String> scope = new ArrayList<>();
Duration lifetime = Duration.newBuilder().build();
GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
scope
- Code to identify the scopes to be included in the OAuth 2.0 access token. See
https://developers.google.com/identity/protocols/googlescopes for more information. At
least one value required.lifetime
- The desired lifetime duration of the access token in seconds. Must be set to a
value less than or equal to 3600 (1 hour). If a value is not specified, the token's
lifetime will be set to a default value of one hour.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final GenerateAccessTokenResponse generateAccessToken(String name, List<String> delegates, List<String> scope, Duration lifetime)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
List<String> scope = new ArrayList<>();
Duration lifetime = Duration.newBuilder().build();
GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(name.toString(), delegates, scope, lifetime);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
scope
- Code to identify the scopes to be included in the OAuth 2.0 access token. See
https://developers.google.com/identity/protocols/googlescopes for more information. At
least one value required.lifetime
- The desired lifetime duration of the access token in seconds. Must be set to a
value less than or equal to 3600 (1 hour). If a value is not specified, the token's
lifetime will be set to a default value of one hour.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final GenerateAccessTokenResponse generateAccessToken(GenerateAccessTokenRequest request)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> scope = new ArrayList<>();
GenerateAccessTokenRequest request = GenerateAccessTokenRequest.newBuilder()
.setName(name.toString())
.addAllScope(scope)
.build();
GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(request);
}
request
- The request object containing all of the parameters for the API call.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final com.google.api.gax.rpc.UnaryCallable<GenerateAccessTokenRequest,GenerateAccessTokenResponse> generateAccessTokenCallable()
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> scope = new ArrayList<>();
GenerateAccessTokenRequest request = GenerateAccessTokenRequest.newBuilder()
.setName(name.toString())
.addAllScope(scope)
.build();
ApiFuture<GenerateAccessTokenResponse> future = iamCredentialsClient.generateAccessTokenCallable().futureCall(request);
// Do something
GenerateAccessTokenResponse response = future.get();
}
public final GenerateIdTokenResponse generateIdToken(ServiceAccountName name, List<String> delegates, String audience, boolean includeEmail)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
String audience = "";
boolean includeEmail = false;
GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(name, delegates, audience, includeEmail);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
audience
- The audience for the token, such as the API or account that this token grants
access to.includeEmail
- Include the service account email in the token. If set to `true`, the token
will contain `email` and `email_verified` claims.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final GenerateIdTokenResponse generateIdToken(String name, List<String> delegates, String audience, boolean includeEmail)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
String audience = "";
boolean includeEmail = false;
GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(name.toString(), delegates, audience, includeEmail);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
audience
- The audience for the token, such as the API or account that this token grants
access to.includeEmail
- Include the service account email in the token. If set to `true`, the token
will contain `email` and `email_verified` claims.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final GenerateIdTokenResponse generateIdToken(GenerateIdTokenRequest request)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
String audience = "";
GenerateIdTokenRequest request = GenerateIdTokenRequest.newBuilder()
.setName(name.toString())
.setAudience(audience)
.build();
GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(request);
}
request
- The request object containing all of the parameters for the API call.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final com.google.api.gax.rpc.UnaryCallable<GenerateIdTokenRequest,GenerateIdTokenResponse> generateIdTokenCallable()
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
String audience = "";
GenerateIdTokenRequest request = GenerateIdTokenRequest.newBuilder()
.setName(name.toString())
.setAudience(audience)
.build();
ApiFuture<GenerateIdTokenResponse> future = iamCredentialsClient.generateIdTokenCallable().futureCall(request);
// Do something
GenerateIdTokenResponse response = future.get();
}
public final SignBlobResponse signBlob(ServiceAccountName name, List<String> delegates, ByteString payload)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
ByteString payload = ByteString.copyFromUtf8("");
SignBlobResponse response = iamCredentialsClient.signBlob(name, delegates, payload);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
payload
- The bytes to sign.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final SignBlobResponse signBlob(String name, List<String> delegates, ByteString payload)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
ByteString payload = ByteString.copyFromUtf8("");
SignBlobResponse response = iamCredentialsClient.signBlob(name.toString(), delegates, payload);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
payload
- The bytes to sign.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final SignBlobResponse signBlob(SignBlobRequest request)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
ByteString payload = ByteString.copyFromUtf8("");
SignBlobRequest request = SignBlobRequest.newBuilder()
.setName(name.toString())
.setPayload(payload)
.build();
SignBlobResponse response = iamCredentialsClient.signBlob(request);
}
request
- The request object containing all of the parameters for the API call.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final com.google.api.gax.rpc.UnaryCallable<SignBlobRequest,SignBlobResponse> signBlobCallable()
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
ByteString payload = ByteString.copyFromUtf8("");
SignBlobRequest request = SignBlobRequest.newBuilder()
.setName(name.toString())
.setPayload(payload)
.build();
ApiFuture<SignBlobResponse> future = iamCredentialsClient.signBlobCallable().futureCall(request);
// Do something
SignBlobResponse response = future.get();
}
public final SignJwtResponse signJwt(ServiceAccountName name, List<String> delegates, String payload)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
String payload = "";
SignJwtResponse response = iamCredentialsClient.signJwt(name, delegates, payload);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
payload
- The JWT payload to sign: a JSON object that contains a JWT Claims Set.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final SignJwtResponse signJwt(String name, List<String> delegates, String payload)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> delegates = new ArrayList<>();
String payload = "";
SignJwtResponse response = iamCredentialsClient.signJwt(name.toString(), delegates, payload);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.delegates
- The sequence of service accounts in a delegation chain. Each service account
must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
in the chain. The last service account in the chain must be granted the
`roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
`name` field of the request.
The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
payload
- The JWT payload to sign: a JSON object that contains a JWT Claims Set.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final SignJwtResponse signJwt(SignJwtRequest request)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
String payload = "";
SignJwtRequest request = SignJwtRequest.newBuilder()
.setName(name.toString())
.setPayload(payload)
.build();
SignJwtResponse response = iamCredentialsClient.signJwt(request);
}
request
- The request object containing all of the parameters for the API call.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final com.google.api.gax.rpc.UnaryCallable<SignJwtRequest,SignJwtResponse> signJwtCallable()
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
String payload = "";
SignJwtRequest request = SignJwtRequest.newBuilder()
.setName(name.toString())
.setPayload(payload)
.build();
ApiFuture<SignJwtResponse> future = iamCredentialsClient.signJwtCallable().futureCall(request);
// Do something
SignJwtResponse response = future.get();
}
public final GenerateIdentityBindingAccessTokenResponse generateIdentityBindingAccessToken(ServiceAccountName name, List<String> scope, String jwt)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> scope = new ArrayList<>();
String jwt = "";
GenerateIdentityBindingAccessTokenResponse response = iamCredentialsClient.generateIdentityBindingAccessToken(name, scope, jwt);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.scope
- Code to identify the scopes to be included in the OAuth 2.0 access token. See
https://developers.google.com/identity/protocols/googlescopes for more information. At
least one value required.jwt
- Required. Input token. Must be in JWT format according to RFC7523
(https://tools.ietf.org/html/rfc7523) and must have 'kid' field in the header. Supported
signing algorithms: RS256 (RS512, ES256, ES512 coming soon). Mandatory payload fields
(along the lines of RFC 7523, section 3): - iss: issuer of the token. Must provide a
discovery document at $iss/.well-known/openid-configuration . The document needs to be
formatted according to section 4.2 of the OpenID Connect Discovery 1.0 specification. -
iat: Issue time in seconds since epoch. Must be in the past. - exp: Expiration time in
seconds since epoch. Must be less than 48 hours after iat. We recommend to create tokens
that last shorter than 6 hours to improve security unless business reasons mandate longer
expiration times. Shorter token lifetimes are generally more secure since tokens that have
been exfiltrated by attackers can be used for a shorter time. you can configure the maximum
lifetime of the incoming token in the configuration of the mapper. The resulting Google
token will expire within an hour or at "exp", whichever is earlier. - sub: JWT subject,
identity asserted in the JWT. - aud: Configured in the mapper policy. By default the
service account email.
Claims from the incoming token can be transferred into the output token accoding to the mapper configuration. The outgoing claim size is limited. Outgoing claims size must be less than 4kB serialized as JSON without whitespace.
Example header: { "alg": "RS256", "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8" } Example payload: { "iss": "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud": "https://iamcredentials.googleapis.com/", "sub": "113475438248934895348", "my_claims": { "additional_claim": "value" } }
com.google.api.gax.rpc.ApiException
- if the remote call failspublic final GenerateIdentityBindingAccessTokenResponse generateIdentityBindingAccessToken(String name, List<String> scope, String jwt)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> scope = new ArrayList<>();
String jwt = "";
GenerateIdentityBindingAccessTokenResponse response = iamCredentialsClient.generateIdentityBindingAccessToken(name.toString(), scope, jwt);
}
name
- The resource name of the service account for which the credentials are requested,
in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.scope
- Code to identify the scopes to be included in the OAuth 2.0 access token. See
https://developers.google.com/identity/protocols/googlescopes for more information. At
least one value required.jwt
- Required. Input token. Must be in JWT format according to RFC7523
(https://tools.ietf.org/html/rfc7523) and must have 'kid' field in the header. Supported
signing algorithms: RS256 (RS512, ES256, ES512 coming soon). Mandatory payload fields
(along the lines of RFC 7523, section 3): - iss: issuer of the token. Must provide a
discovery document at $iss/.well-known/openid-configuration . The document needs to be
formatted according to section 4.2 of the OpenID Connect Discovery 1.0 specification. -
iat: Issue time in seconds since epoch. Must be in the past. - exp: Expiration time in
seconds since epoch. Must be less than 48 hours after iat. We recommend to create tokens
that last shorter than 6 hours to improve security unless business reasons mandate longer
expiration times. Shorter token lifetimes are generally more secure since tokens that have
been exfiltrated by attackers can be used for a shorter time. you can configure the maximum
lifetime of the incoming token in the configuration of the mapper. The resulting Google
token will expire within an hour or at "exp", whichever is earlier. - sub: JWT subject,
identity asserted in the JWT. - aud: Configured in the mapper policy. By default the
service account email.
Claims from the incoming token can be transferred into the output token accoding to the mapper configuration. The outgoing claim size is limited. Outgoing claims size must be less than 4kB serialized as JSON without whitespace.
Example header: { "alg": "RS256", "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8" } Example payload: { "iss": "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud": "https://iamcredentials.googleapis.com/", "sub": "113475438248934895348", "my_claims": { "additional_claim": "value" } }
com.google.api.gax.rpc.ApiException
- if the remote call failspublic final GenerateIdentityBindingAccessTokenResponse generateIdentityBindingAccessToken(GenerateIdentityBindingAccessTokenRequest request)
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> scope = new ArrayList<>();
String jwt = "";
GenerateIdentityBindingAccessTokenRequest request = GenerateIdentityBindingAccessTokenRequest.newBuilder()
.setName(name.toString())
.addAllScope(scope)
.setJwt(jwt)
.build();
GenerateIdentityBindingAccessTokenResponse response = iamCredentialsClient.generateIdentityBindingAccessToken(request);
}
request
- The request object containing all of the parameters for the API call.com.google.api.gax.rpc.ApiException
- if the remote call failspublic final com.google.api.gax.rpc.UnaryCallable<GenerateIdentityBindingAccessTokenRequest,GenerateIdentityBindingAccessTokenResponse> generateIdentityBindingAccessTokenCallable()
Sample code:
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List<String> scope = new ArrayList<>();
String jwt = "";
GenerateIdentityBindingAccessTokenRequest request = GenerateIdentityBindingAccessTokenRequest.newBuilder()
.setName(name.toString())
.addAllScope(scope)
.setJwt(jwt)
.build();
ApiFuture<GenerateIdentityBindingAccessTokenResponse> future = iamCredentialsClient.generateIdentityBindingAccessTokenCallable().futureCall(request);
// Do something
GenerateIdentityBindingAccessTokenResponse response = future.get();
}
public final void close()
close
in interface AutoCloseable
public void shutdown()
shutdown
in interface com.google.api.gax.core.BackgroundResource
public boolean isShutdown()
isShutdown
in interface com.google.api.gax.core.BackgroundResource
public boolean isTerminated()
isTerminated
in interface com.google.api.gax.core.BackgroundResource
public void shutdownNow()
shutdownNow
in interface com.google.api.gax.core.BackgroundResource
public boolean awaitTermination(long duration, TimeUnit unit) throws InterruptedException
awaitTermination
in interface com.google.api.gax.core.BackgroundResource
InterruptedException
Copyright © 2019 Google LLC. All rights reserved.