Class ServiceAccountCredentials
- java.lang.Object
-
- com.google.auth.Credentials
-
- com.google.auth.oauth2.OAuth2Credentials
-
- com.google.auth.oauth2.GoogleCredentials
-
- com.google.auth.oauth2.ServiceAccountCredentials
-
- All Implemented Interfaces:
IdTokenProvider
,JwtProvider
,QuotaProjectIdProvider
,ServiceAccountSigner
,java.io.Serializable
public class ServiceAccountCredentials extends GoogleCredentials implements ServiceAccountSigner, IdTokenProvider, JwtProvider
OAuth2 credentials representing a Service Account for calling Google APIs.By default uses a JSON Web Token (JWT) to fetch access tokens.
- See Also:
- Serialized Form
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
ServiceAccountCredentials.Builder
-
Nested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials
OAuth2Credentials.AsyncRefreshResult, OAuth2Credentials.CacheState, OAuth2Credentials.CredentialsChangedListener, OAuth2Credentials.FutureCallbackToMetadataCallbackAdapter, OAuth2Credentials.OAuthValue, OAuth2Credentials.RefreshTask, OAuth2Credentials.RefreshTaskListener
-
Nested classes/interfaces inherited from interface com.google.auth.oauth2.IdTokenProvider
IdTokenProvider.Option
-
Nested classes/interfaces inherited from interface com.google.auth.ServiceAccountSigner
ServiceAccountSigner.SigningException
-
-
Field Summary
Fields Modifier and Type Field Description private java.lang.String
clientEmail
private java.lang.String
clientId
private static int
DEFAULT_LIFETIME_IN_SECONDS
private boolean
defaultRetriesEnabled
private java.util.Collection<java.lang.String>
defaultScopes
private static java.lang.String
GRANT_TYPE
private int
lifetime
private static java.lang.String
PARSE_ERROR_PREFIX
private java.security.PrivateKey
privateKey
private java.lang.String
privateKeyId
private java.lang.String
projectId
private java.util.Collection<java.lang.String>
scopes
private JwtCredentials
selfSignedJwtCredentialsWithScope
private static long
serialVersionUID
private java.lang.String
serviceAccountUser
private java.net.URI
tokenServerUri
private HttpTransportFactory
transportFactory
private java.lang.String
transportFactoryClassName
private static int
TWELVE_HOURS_IN_SECONDS
private boolean
useJwtAccessWithScope
-
Fields inherited from class com.google.auth.oauth2.GoogleCredentials
GDCH_SERVICE_ACCOUNT_FILE_TYPE, QUOTA_PROJECT_ID_HEADER_KEY, quotaProjectId, SERVICE_ACCOUNT_FILE_TYPE, USER_FILE_TYPE
-
Fields inherited from class com.google.auth.oauth2.OAuth2Credentials
clock, DEFAULT_EXPIRATION_MARGIN, DEFAULT_REFRESH_MARGIN, lock, refreshTask
-
Fields inherited from class com.google.auth.Credentials
GOOGLE_DEFAULT_UNIVERSE
-
-
Constructor Summary
Constructors Constructor Description ServiceAccountCredentials(ServiceAccountCredentials.Builder builder)
Internal constructor
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description private com.google.api.client.http.HttpRequest
buildIdTokenRequest(java.net.URI uri, HttpTransportFactory transportFactory, com.google.api.client.http.HttpContent content)
(package private) java.lang.String
createAssertion(com.google.api.client.json.JsonFactory jsonFactory, long currentTime)
(package private) java.lang.String
createAssertionForIdToken(long currentTime, java.lang.String audience, java.lang.String targetAudience)
GoogleCredentials
createDelegated(java.lang.String user)
If the credentials support domain-wide delegation, creates a copy of the identity so that it impersonates the specified user; otherwise, returns the same instance.GoogleCredentials
createScoped(java.util.Collection<java.lang.String> newScopes)
Clones the service account with the specified scopes.GoogleCredentials
createScoped(java.util.Collection<java.lang.String> newScopes, java.util.Collection<java.lang.String> newDefaultScopes)
Clones the service account with the specified scopes.boolean
createScopedRequired()
Returns whether the scopes are empty, meaning createScoped must be called before use.(package private) JwtCredentials
createSelfSignedJwtCredentials(java.net.URI uri)
(package private) JwtCredentials
createSelfSignedJwtCredentials(java.net.URI uri, java.util.Collection<java.lang.String> scopes)
ServiceAccountCredentials
createWithCustomLifetime(int lifetime)
Clones the service account with a new lifetime value.ServiceAccountCredentials
createWithCustomRetryStrategy(boolean defaultRetriesEnabled)
Clones the service account with the specified default retries.ServiceAccountCredentials
createWithUseJwtAccessWithScope(boolean useJwtAccessWithScope)
Clones the service account with a new useJwtAccessWithScope value.boolean
equals(java.lang.Object obj)
private com.google.api.client.http.HttpResponse
executeRequest(com.google.api.client.http.HttpRequest request)
(package private) static ServiceAccountCredentials
fromJson(java.util.Map<java.lang.String,java.lang.Object> json, HttpTransportFactory transportFactory)
Returns service account credentials defined by JSON using the format supported by the Google Developers Console.(package private) static ServiceAccountCredentials
fromPkcs8(java.lang.String privateKeyPkcs8, ServiceAccountCredentials.Builder builder)
Internal constructorstatic ServiceAccountCredentials
fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.util.Collection<java.lang.String> scopes)
Factory with minimum identifying information using PKCS#8 for the private key.static ServiceAccountCredentials
fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.util.Collection<java.lang.String> scopes, HttpTransportFactory transportFactory, java.net.URI tokenServerUri)
Factory with minimum identifying information and custom transport using PKCS#8 for the private key.static ServiceAccountCredentials
fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.util.Collection<java.lang.String> scopes, HttpTransportFactory transportFactory, java.net.URI tokenServerUri, java.lang.String serviceAccountUser)
Factory with minimum identifying information and custom transport using PKCS#8 for the private key.static ServiceAccountCredentials
fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.util.Collection<java.lang.String> scopes, java.util.Collection<java.lang.String> defaultScopes)
Factory with minimum identifying information using PKCS#8 for the private key.static ServiceAccountCredentials
fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.util.Collection<java.lang.String> scopes, java.util.Collection<java.lang.String> defaultScopes, HttpTransportFactory transportFactory, java.net.URI tokenServerUri)
Factory with minimum identifying information and custom transport using PKCS#8 for the private key.static ServiceAccountCredentials
fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.util.Collection<java.lang.String> scopes, java.util.Collection<java.lang.String> defaultScopes, HttpTransportFactory transportFactory, java.net.URI tokenServerUri, java.lang.String serviceAccountUser)
Factory with minimum identifying information and custom transport using PKCS#8 for the private key.static ServiceAccountCredentials
fromStream(java.io.InputStream credentialsStream)
Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.static ServiceAccountCredentials
fromStream(java.io.InputStream credentialsStream, HttpTransportFactory transportFactory)
Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.java.lang.String
getAccount()
Returns the service account associated with the signer.java.lang.String
getClientEmail()
java.lang.String
getClientId()
java.util.Collection<java.lang.String>
getDefaultScopes()
private IdToken
getIdTokenIamEndpoint(java.lang.String targetAudience)
Use IAM generateIdToken endpoint to obtain an ID token.private IdToken
getIdTokenOauthEndpoint(java.lang.String targetAudience)
Uses the Oauth Endpoint to generate an ID token.private java.lang.String
getIssuer()
(package private) int
getLifetime()
CredentialTypeForMetrics
getMetricsCredentialType()
Gets the credential type used for internal metrics header.java.security.PrivateKey
getPrivateKey()
java.lang.String
getPrivateKeyId()
java.lang.String
getProjectId()
java.util.Map<java.lang.String,java.util.List<java.lang.String>>
getRequestMetadata(java.net.URI uri)
Provide the request metadata by putting an access JWT directly in the metadata.void
getRequestMetadata(java.net.URI uri, java.util.concurrent.Executor executor, RequestMetadataCallback callback)
Get the current request metadata without blocking.private java.util.Map<java.lang.String,java.util.List<java.lang.String>>
getRequestMetadataForGdu(java.net.URI uri)
private java.util.Map<java.lang.String,java.util.List<java.lang.String>>
getRequestMetadataForNonGdu(java.net.URI uri)
private java.util.Map<java.lang.String,java.util.List<java.lang.String>>
getRequestMetadataWithSelfSignedJwt(java.net.URI uri)
Provide the access JWT for scopes if provided, for uri as aud otherwisejava.util.Collection<java.lang.String>
getScopes()
(package private) JwtCredentials
getSelfSignedJwtCredentialsWithScope()
java.lang.String
getServiceAccountUser()
java.net.URI
getTokenServerUri()
(package private) static java.net.URI
getUriForSelfSignedJWT(java.net.URI uri)
Self-signed JWT uses uri as audience, which should have the "https://{host}/" format.boolean
getUseJwtAccessWithScope()
int
hashCode()
IdToken
idTokenWithAudience(java.lang.String targetAudience, java.util.List<IdTokenProvider.Option> options)
Returns a Google ID Token from either the Oauth or IAM Endpoint.(package private) boolean
isConfiguredForDomainWideDelegation()
Returns true if credential is configured domain wide delegationJwtCredentials
jwtWithClaims(JwtClaims newClaims)
Returns a new JwtCredentials instance with modified claims.static ServiceAccountCredentials.Builder
newBuilder()
private void
readObject(java.io.ObjectInputStream input)
AccessToken
refreshAccessToken()
Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).(package private) boolean
shouldUseAssertionFlowForGdu()
byte[]
sign(byte[] toSign)
Signs the provided bytes using the private key associated with the service account.ServiceAccountCredentials.Builder
toBuilder()
protected com.google.common.base.MoreObjects.ToStringHelper
toStringHelper()
A helper for overriding the toString() method.-
Methods inherited from class com.google.auth.oauth2.GoogleCredentials
addQuotaProjectIdToRequestMetadata, create, create, createScoped, createWithQuotaProject, getAdditionalHeaders, getApplicationDefault, getApplicationDefault, getQuotaProjectId, getUniverseDomain, isDefaultUniverseDomain, isExplicitUniverseDomain, toString
-
Methods inherited from class com.google.auth.oauth2.OAuth2Credentials
addChangeListener, getAccessToken, getAuthenticationType, getExpirationMargin, getFromServiceLoader, getRefreshMargin, getRequestMetadataInternal, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener
-
Methods inherited from class com.google.auth.Credentials
blockingGetToCallback, getRequestMetadata
-
-
-
-
Field Detail
-
serialVersionUID
private static final long serialVersionUID
- See Also:
- Constant Field Values
-
GRANT_TYPE
private static final java.lang.String GRANT_TYPE
- See Also:
- Constant Field Values
-
PARSE_ERROR_PREFIX
private static final java.lang.String PARSE_ERROR_PREFIX
- See Also:
- Constant Field Values
-
TWELVE_HOURS_IN_SECONDS
private static final int TWELVE_HOURS_IN_SECONDS
- See Also:
- Constant Field Values
-
DEFAULT_LIFETIME_IN_SECONDS
private static final int DEFAULT_LIFETIME_IN_SECONDS
- See Also:
- Constant Field Values
-
clientId
private final java.lang.String clientId
-
clientEmail
private final java.lang.String clientEmail
-
privateKey
private final java.security.PrivateKey privateKey
-
privateKeyId
private final java.lang.String privateKeyId
-
serviceAccountUser
private final java.lang.String serviceAccountUser
-
projectId
private final java.lang.String projectId
-
transportFactoryClassName
private final java.lang.String transportFactoryClassName
-
tokenServerUri
private final java.net.URI tokenServerUri
-
scopes
private final java.util.Collection<java.lang.String> scopes
-
defaultScopes
private final java.util.Collection<java.lang.String> defaultScopes
-
lifetime
private final int lifetime
-
useJwtAccessWithScope
private final boolean useJwtAccessWithScope
-
defaultRetriesEnabled
private final boolean defaultRetriesEnabled
-
transportFactory
private transient HttpTransportFactory transportFactory
-
selfSignedJwtCredentialsWithScope
private transient JwtCredentials selfSignedJwtCredentialsWithScope
-
-
Constructor Detail
-
ServiceAccountCredentials
ServiceAccountCredentials(ServiceAccountCredentials.Builder builder)
Internal constructor- Parameters:
builder
- A builder forServiceAccountCredentials
SeeServiceAccountCredentials.Builder
-
-
Method Detail
-
fromJson
static ServiceAccountCredentials fromJson(java.util.Map<java.lang.String,java.lang.Object> json, HttpTransportFactory transportFactory) throws java.io.IOException
Returns service account credentials defined by JSON using the format supported by the Google Developers Console.- Parameters:
json
- a map from the JSON representing the credentials.transportFactory
- HTTP transport factory, creates the transport used to get access tokens.- Returns:
- the credentials defined by the JSON.
- Throws:
java.io.IOException
- if the credential cannot be created from the JSON.
-
fromPkcs8
public static ServiceAccountCredentials fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.util.Collection<java.lang.String> scopes) throws java.io.IOException
Factory with minimum identifying information using PKCS#8 for the private key.- Parameters:
clientId
- Client ID of the service account from the console. May be null.clientEmail
- Client email address of the service account from the console.privateKeyPkcs8
- RSA private key object for the service account in PKCS#8 format.privateKeyId
- Private key identifier for the service account. May be null.scopes
- Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.- Returns:
- New ServiceAccountCredentials created from a private key.
- Throws:
java.io.IOException
- if the credential cannot be created from the private key.
-
fromPkcs8
public static ServiceAccountCredentials fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.util.Collection<java.lang.String> scopes, java.util.Collection<java.lang.String> defaultScopes) throws java.io.IOException
Factory with minimum identifying information using PKCS#8 for the private key.- Parameters:
clientId
- client ID of the service account from the console. May be null.clientEmail
- client email address of the service account from the consoleprivateKeyPkcs8
- RSA private key object for the service account in PKCS#8 format.privateKeyId
- private key identifier for the service account. May be null.scopes
- scope strings for the APIs to be called. May be null or an empty collection.defaultScopes
- default scope strings for the APIs to be called. May be null or an empty.- Returns:
- new ServiceAccountCredentials created from a private key
- Throws:
java.io.IOException
- if the credential cannot be created from the private key
-
fromPkcs8
public static ServiceAccountCredentials fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.util.Collection<java.lang.String> scopes, HttpTransportFactory transportFactory, java.net.URI tokenServerUri) throws java.io.IOException
Factory with minimum identifying information and custom transport using PKCS#8 for the private key.- Parameters:
clientId
- Client ID of the service account from the console. May be null.clientEmail
- Client email address of the service account from the console.privateKeyPkcs8
- RSA private key object for the service account in PKCS#8 format.privateKeyId
- Private key identifier for the service account. May be null.scopes
- Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.transportFactory
- HTTP transport factory, creates the transport used to get access tokens.tokenServerUri
- URI of the end point that provides tokens.- Returns:
- New ServiceAccountCredentials created from a private key.
- Throws:
java.io.IOException
- if the credential cannot be created from the private key.
-
fromPkcs8
public static ServiceAccountCredentials fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.util.Collection<java.lang.String> scopes, java.util.Collection<java.lang.String> defaultScopes, HttpTransportFactory transportFactory, java.net.URI tokenServerUri) throws java.io.IOException
Factory with minimum identifying information and custom transport using PKCS#8 for the private key.- Parameters:
clientId
- client ID of the service account from the console. May be null.clientEmail
- client email address of the service account from the consoleprivateKeyPkcs8
- RSA private key object for the service account in PKCS#8 format.privateKeyId
- private key identifier for the service account. May be null.scopes
- scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.defaultScopes
- default scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.transportFactory
- HTTP transport factory, creates the transport used to get access tokens.tokenServerUri
- URI of the end point that provides tokens- Returns:
- new ServiceAccountCredentials created from a private key
- Throws:
java.io.IOException
- if the credential cannot be created from the private key
-
fromPkcs8
public static ServiceAccountCredentials fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.util.Collection<java.lang.String> scopes, HttpTransportFactory transportFactory, java.net.URI tokenServerUri, java.lang.String serviceAccountUser) throws java.io.IOException
Factory with minimum identifying information and custom transport using PKCS#8 for the private key.- Parameters:
clientId
- Client ID of the service account from the console. May be null.clientEmail
- Client email address of the service account from the console.privateKeyPkcs8
- RSA private key object for the service account in PKCS#8 format.privateKeyId
- Private key identifier for the service account. May be null.scopes
- Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.transportFactory
- HTTP transport factory, creates the transport used to get access tokens.tokenServerUri
- URI of the end point that provides tokens.serviceAccountUser
- The email of the user account to impersonate, if delegating domain-wide authority to the service account.- Returns:
- New ServiceAccountCredentials created from a private key.
- Throws:
java.io.IOException
- if the credential cannot be created from the private key.
-
fromPkcs8
public static ServiceAccountCredentials fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.util.Collection<java.lang.String> scopes, java.util.Collection<java.lang.String> defaultScopes, HttpTransportFactory transportFactory, java.net.URI tokenServerUri, java.lang.String serviceAccountUser) throws java.io.IOException
Factory with minimum identifying information and custom transport using PKCS#8 for the private key.- Parameters:
clientId
- client ID of the service account from the console. May be null.clientEmail
- client email address of the service account from the consoleprivateKeyPkcs8
- RSA private key object for the service account in PKCS#8 format.privateKeyId
- private key identifier for the service account. May be null.scopes
- scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.defaultScopes
- default scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.transportFactory
- HTTP transport factory, creates the transport used to get access tokens.tokenServerUri
- URI of the end point that provides tokensserviceAccountUser
- the email of the user account to impersonate, if delegating domain-wide authority to the service account.- Returns:
- new ServiceAccountCredentials created from a private key
- Throws:
java.io.IOException
- if the credential cannot be created from the private key
-
fromPkcs8
static ServiceAccountCredentials fromPkcs8(java.lang.String privateKeyPkcs8, ServiceAccountCredentials.Builder builder) throws java.io.IOException
Internal constructor- Parameters:
privateKeyPkcs8
- RSA private key object for the service account in PKCS#8 format.builder
- A builder forServiceAccountCredentials
SeeServiceAccountCredentials.Builder
- Returns:
- an instance of
ServiceAccountCredentials
- Throws:
java.io.IOException
-
fromStream
public static ServiceAccountCredentials fromStream(java.io.InputStream credentialsStream) throws java.io.IOException
Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.- Parameters:
credentialsStream
- the stream with the credential definition.- Returns:
- the credential defined by the credentialsStream.
- Throws:
java.io.IOException
- if the credential cannot be created from the stream.
-
fromStream
public static ServiceAccountCredentials fromStream(java.io.InputStream credentialsStream, HttpTransportFactory transportFactory) throws java.io.IOException
Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.- Parameters:
credentialsStream
- the stream with the credential definition.transportFactory
- HTTP transport factory, creates the transport used to get access tokens.- Returns:
- the credential defined by the credentialsStream.
- Throws:
java.io.IOException
- if the credential cannot be created from the stream.
-
createScopedRequired
public boolean createScopedRequired()
Returns whether the scopes are empty, meaning createScoped must be called before use.- Overrides:
createScopedRequired
in classGoogleCredentials
- Returns:
- Whether the credentials require scopes to be specified.
-
isConfiguredForDomainWideDelegation
boolean isConfiguredForDomainWideDelegation()
Returns true if credential is configured domain wide delegation
-
refreshAccessToken
public AccessToken refreshAccessToken() throws java.io.IOException
Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).- Overrides:
refreshAccessToken
in classOAuth2Credentials
- Returns:
- never
- Throws:
java.io.IOException
-
idTokenWithAudience
public IdToken idTokenWithAudience(java.lang.String targetAudience, java.util.List<IdTokenProvider.Option> options) throws java.io.IOException
Returns a Google ID Token from either the Oauth or IAM Endpoint. For Credentials that are in the Google Default Universe (googleapis.com), the ID Token will be retrieved from the Oauth Endpoint. Otherwise, it will be retrieved from the IAM Endpoint.- Specified by:
idTokenWithAudience
in interfaceIdTokenProvider
- Parameters:
targetAudience
- the aud: field the IdToken should include.options
- list of Credential specific options for the token. Currently, unused for ServiceAccountCredentials.- Returns:
- IdToken object which includes the raw id_token, expiration and audience
- Throws:
java.io.IOException
- if the attempt to get an IdToken failed
-
getIdTokenOauthEndpoint
private IdToken getIdTokenOauthEndpoint(java.lang.String targetAudience) throws java.io.IOException
Uses the Oauth Endpoint to generate an ID token. Assertions and grant_type are sent in the request body.- Throws:
java.io.IOException
-
getIdTokenIamEndpoint
private IdToken getIdTokenIamEndpoint(java.lang.String targetAudience) throws java.io.IOException
Use IAM generateIdToken endpoint to obtain an ID token.This flow works as follows:
- Create a self-signed jwt with `https://www.googleapis.com/auth/iam` as the scope.
- Use the self-signed jwt as the access token, and make a POST request to IAM generateIdToken endpoint.
- If the request is successfully, it will return {"token":"the ID token"}. Extract the ID token.
- Throws:
java.io.IOException
-
buildIdTokenRequest
private com.google.api.client.http.HttpRequest buildIdTokenRequest(java.net.URI uri, HttpTransportFactory transportFactory, com.google.api.client.http.HttpContent content) throws java.io.IOException
- Throws:
java.io.IOException
-
executeRequest
private com.google.api.client.http.HttpResponse executeRequest(com.google.api.client.http.HttpRequest request) throws java.io.IOException
- Throws:
java.io.IOException
-
createWithCustomRetryStrategy
public ServiceAccountCredentials createWithCustomRetryStrategy(boolean defaultRetriesEnabled)
Clones the service account with the specified default retries.- Overrides:
createWithCustomRetryStrategy
in classGoogleCredentials
- Parameters:
defaultRetriesEnabled
- a flag enabling or disabling default retries- Returns:
- GoogleCredentials with the specified retry configuration.
-
createScoped
public GoogleCredentials createScoped(java.util.Collection<java.lang.String> newScopes)
Clones the service account with the specified scopes.Should be called before use for instances with empty scopes.
- Overrides:
createScoped
in classGoogleCredentials
- Parameters:
newScopes
- Collection of scopes to request.- Returns:
- GoogleCredentials with requested scopes.
-
createScoped
public GoogleCredentials createScoped(java.util.Collection<java.lang.String> newScopes, java.util.Collection<java.lang.String> newDefaultScopes)
Clones the service account with the specified scopes. The Access Token is invalidated even if the same scopes are provided. Access Tokens contain information of the internal values (i.e. scope). If an internal value (scope) is modified, then the existing Access Token is no longer valid and should not be re-used.Should be called before use for instances with empty scopes.
- Overrides:
createScoped
in classGoogleCredentials
- Parameters:
newScopes
- Collection of scopes to request.newDefaultScopes
- Collection of default scopes to request.- Returns:
- GoogleCredentials with requested scopes.
-
createWithCustomLifetime
public ServiceAccountCredentials createWithCustomLifetime(int lifetime)
Clones the service account with a new lifetime value.- Parameters:
lifetime
- life time value in seconds. The value should be at most 43200 (12 hours). If the token is used for calling a Google API, then the value should be at most 3600 (1 hour). If the given value is 0, then the default value 3600 will be used when creating the credentials.- Returns:
- the cloned service account credentials with the given custom life time
-
createWithUseJwtAccessWithScope
public ServiceAccountCredentials createWithUseJwtAccessWithScope(boolean useJwtAccessWithScope)
Clones the service account with a new useJwtAccessWithScope value. This flag will be ignored if universeDomain field is different fromCredentials.GOOGLE_DEFAULT_UNIVERSE
.- Parameters:
useJwtAccessWithScope
- whether self-signed JWT with scopes should be used- Returns:
- the cloned service account credentials with the given useJwtAccessWithScope
-
createDelegated
public GoogleCredentials createDelegated(java.lang.String user)
Description copied from class:GoogleCredentials
If the credentials support domain-wide delegation, creates a copy of the identity so that it impersonates the specified user; otherwise, returns the same instance.- Overrides:
createDelegated
in classGoogleCredentials
- Parameters:
user
- User to impersonate.- Returns:
- GoogleCredentials with a delegated user.
-
getClientId
public final java.lang.String getClientId()
-
getClientEmail
public final java.lang.String getClientEmail()
-
getPrivateKey
public final java.security.PrivateKey getPrivateKey()
-
getPrivateKeyId
public final java.lang.String getPrivateKeyId()
-
getScopes
public final java.util.Collection<java.lang.String> getScopes()
-
getDefaultScopes
public final java.util.Collection<java.lang.String> getDefaultScopes()
-
getServiceAccountUser
public final java.lang.String getServiceAccountUser()
-
getProjectId
public final java.lang.String getProjectId()
-
getTokenServerUri
public final java.net.URI getTokenServerUri()
-
getIssuer
private java.lang.String getIssuer()
-
getLifetime
int getLifetime()
-
getUseJwtAccessWithScope
public boolean getUseJwtAccessWithScope()
-
getSelfSignedJwtCredentialsWithScope
JwtCredentials getSelfSignedJwtCredentialsWithScope()
-
getAccount
public java.lang.String getAccount()
Description copied from interface:ServiceAccountSigner
Returns the service account associated with the signer.- Specified by:
getAccount
in interfaceServiceAccountSigner
- Returns:
- The service account associated with the signer.
-
sign
public byte[] sign(byte[] toSign)
Description copied from interface:ServiceAccountSigner
Signs the provided bytes using the private key associated with the service account.- Specified by:
sign
in interfaceServiceAccountSigner
- Parameters:
toSign
- bytes to sign- Returns:
- signed bytes
-
jwtWithClaims
public JwtCredentials jwtWithClaims(JwtClaims newClaims)
Returns a new JwtCredentials instance with modified claims.- Specified by:
jwtWithClaims
in interfaceJwtProvider
- Parameters:
newClaims
- new claims. Any unspecified claim fields will default to the current values.- Returns:
- new credentials
-
hashCode
public int hashCode()
- Overrides:
hashCode
in classGoogleCredentials
-
toStringHelper
protected com.google.common.base.MoreObjects.ToStringHelper toStringHelper()
Description copied from class:GoogleCredentials
A helper for overriding the toString() method. This allows inheritance of super class fields. Extending classes can override this implementation and call super implementation and add more fields. Same cannot be done with overriding the toString() directly.- Overrides:
toStringHelper
in classGoogleCredentials
- Returns:
- an instance of the ToStringHelper that has public fields added
-
equals
public boolean equals(java.lang.Object obj)
- Overrides:
equals
in classGoogleCredentials
-
createAssertion
java.lang.String createAssertion(com.google.api.client.json.JsonFactory jsonFactory, long currentTime) throws java.io.IOException
- Throws:
java.io.IOException
-
createAssertionForIdToken
java.lang.String createAssertionForIdToken(long currentTime, java.lang.String audience, java.lang.String targetAudience) throws java.io.IOException
- Throws:
java.io.IOException
-
getUriForSelfSignedJWT
static java.net.URI getUriForSelfSignedJWT(java.net.URI uri)
Self-signed JWT uses uri as audience, which should have the "https://{host}/" format. For instance, if the uri is "https://compute.googleapis.com/compute/v1/projects/", then this function returns "https://compute.googleapis.com/".
-
createSelfSignedJwtCredentials
JwtCredentials createSelfSignedJwtCredentials(java.net.URI uri)
-
createSelfSignedJwtCredentials
JwtCredentials createSelfSignedJwtCredentials(java.net.URI uri, java.util.Collection<java.lang.String> scopes)
-
getRequestMetadata
public void getRequestMetadata(java.net.URI uri, java.util.concurrent.Executor executor, RequestMetadataCallback callback)
Description copied from class:Credentials
Get the current request metadata without blocking.This should be called by the transport layer on each request, and the data should be populated in headers or other context. The implementation can either call the callback inline or asynchronously. Either way it should never block in this method. The executor is provided for tasks that may block.
The default implementation will just call
Credentials.getRequestMetadata(URI)
then the callback from the given executor.The convention for handling binary data is for the key in the returned map to end with
"-bin"
and for the corresponding values to be base64 encoded.- Overrides:
getRequestMetadata
in classOAuth2Credentials
- Parameters:
uri
- URI of the entry point for the request.executor
- Executor to perform the request.callback
- Callback to execute when the request is finished.
-
getRequestMetadata
public java.util.Map<java.lang.String,java.util.List<java.lang.String>> getRequestMetadata(java.net.URI uri) throws java.io.IOException
Provide the request metadata by putting an access JWT directly in the metadata.- Overrides:
getRequestMetadata
in classOAuth2Credentials
- Parameters:
uri
- URI of the entry point for the request.- Returns:
- The request metadata used for populating headers or other context.
- Throws:
java.io.IOException
- if there was an error getting up-to-date access. The exception should implementRetryable
andisRetryable()
will return true if the operation may be retried.
-
getMetricsCredentialType
public CredentialTypeForMetrics getMetricsCredentialType()
Description copied from class:Credentials
Gets the credential type used for internal metrics header.The default is
CredentialTypeForMetrics.DO_NOT_SEND
. For a credential that is established to track for metrics, this default should be overridden.- Overrides:
getMetricsCredentialType
in classCredentials
- Returns:
- a enum value for credential type
-
shouldUseAssertionFlowForGdu
boolean shouldUseAssertionFlowForGdu()
-
getRequestMetadataForGdu
private java.util.Map<java.lang.String,java.util.List<java.lang.String>> getRequestMetadataForGdu(java.net.URI uri) throws java.io.IOException
- Throws:
java.io.IOException
-
getRequestMetadataForNonGdu
private java.util.Map<java.lang.String,java.util.List<java.lang.String>> getRequestMetadataForNonGdu(java.net.URI uri) throws java.io.IOException
- Throws:
java.io.IOException
-
getRequestMetadataWithSelfSignedJwt
private java.util.Map<java.lang.String,java.util.List<java.lang.String>> getRequestMetadataWithSelfSignedJwt(java.net.URI uri) throws java.io.IOException
Provide the access JWT for scopes if provided, for uri as aud otherwise- Throws:
java.io.IOException
-
readObject
private void readObject(java.io.ObjectInputStream input) throws java.io.IOException, java.lang.ClassNotFoundException
- Throws:
java.io.IOException
java.lang.ClassNotFoundException
-
newBuilder
public static ServiceAccountCredentials.Builder newBuilder()
-
toBuilder
public ServiceAccountCredentials.Builder toBuilder()
- Overrides:
toBuilder
in classGoogleCredentials
-
-