Class ExternalAccountCredentials

    • Field Detail

      • CLOUD_PLATFORM_SCOPE

        private static final java.lang.String CLOUD_PLATFORM_SCOPE
        See Also:
        Constant Field Values
      • EXTERNAL_ACCOUNT_FILE_TYPE

        static final java.lang.String EXTERNAL_ACCOUNT_FILE_TYPE
        See Also:
        Constant Field Values
      • EXECUTABLE_SOURCE_KEY

        static final java.lang.String EXECUTABLE_SOURCE_KEY
        See Also:
        Constant Field Values
      • PROGRAMMATIC_METRICS_HEADER_VALUE

        static final java.lang.String PROGRAMMATIC_METRICS_HEADER_VALUE
        See Also:
        Constant Field Values
      • transportFactoryClassName

        private final java.lang.String transportFactoryClassName
      • audience

        private final java.lang.String audience
      • subjectTokenType

        private final java.lang.String subjectTokenType
      • tokenUrl

        private final java.lang.String tokenUrl
      • scopes

        private final java.util.Collection<java.lang.String> scopes
      • tokenInfoUrl

        @Nullable
        private final java.lang.String tokenInfoUrl
      • serviceAccountImpersonationUrl

        @Nullable
        private final java.lang.String serviceAccountImpersonationUrl
      • clientId

        @Nullable
        private final java.lang.String clientId
      • clientSecret

        @Nullable
        private final java.lang.String clientSecret
      • workforcePoolUserProject

        @Nullable
        private final java.lang.String workforcePoolUserProject
    • Constructor Detail

      • ExternalAccountCredentials

        protected ExternalAccountCredentials​(HttpTransportFactory transportFactory,
                                             java.lang.String audience,
                                             java.lang.String subjectTokenType,
                                             java.lang.String tokenUrl,
                                             ExternalAccountCredentials.CredentialSource credentialSource,
                                             @Nullable
                                             java.lang.String tokenInfoUrl,
                                             @Nullable
                                             java.lang.String serviceAccountImpersonationUrl,
                                             @Nullable
                                             java.lang.String quotaProjectId,
                                             @Nullable
                                             java.lang.String clientId,
                                             @Nullable
                                             java.lang.String clientSecret,
                                             @Nullable
                                             java.util.Collection<java.lang.String> scopes)
        Constructor with minimum identifying information and custom HTTP transport. Does not support workforce credentials.
        Parameters:
        transportFactory - HTTP transport factory, creates the transport used to get access tokens
        audience - the Security Token Service audience, which is usually the fully specified resource name of the workload/workforce pool provider
        subjectTokenType - the Security Token Service subject token type based on the OAuth 2.0 token exchange spec. Indicates the type of the security token in the credential file
        tokenUrl - the Security Token Service token exchange endpoint
        tokenInfoUrl - the endpoint used to retrieve account related information. Required for gCloud session account identification.
        credentialSource - the external credential source
        serviceAccountImpersonationUrl - the URL for the service account impersonation request. This URL is required for some APIs. If this URL is not available, the access token from the Security Token Service is used directly. May be null.
        quotaProjectId - the project used for quota and billing purposes. May be null.
        clientId - client ID of the service account from the console. May be null.
        clientSecret - client secret of the service account from the console. May be null.
        scopes - the scopes to request during the authorization grant. May be null.
      • ExternalAccountCredentials

        protected ExternalAccountCredentials​(HttpTransportFactory transportFactory,
                                             java.lang.String audience,
                                             java.lang.String subjectTokenType,
                                             java.lang.String tokenUrl,
                                             ExternalAccountCredentials.CredentialSource credentialSource,
                                             @Nullable
                                             java.lang.String tokenInfoUrl,
                                             @Nullable
                                             java.lang.String serviceAccountImpersonationUrl,
                                             @Nullable
                                             java.lang.String quotaProjectId,
                                             @Nullable
                                             java.lang.String clientId,
                                             @Nullable
                                             java.lang.String clientSecret,
                                             @Nullable
                                             java.util.Collection<java.lang.String> scopes,
                                             @Nullable
                                             EnvironmentProvider environmentProvider)
        Constructor with minimum identifying information and custom HTTP transport. Does not support workforce credentials.
        Parameters:
        transportFactory - HTTP transport factory, creates the transport used to get access tokens
        audience - the Security Token Service audience, which is usually the fully specified resource name of the workload/workforce pool provider
        subjectTokenType - the Security Token Service subject token type based on the OAuth 2.0 token exchange spec. Indicates the type of the security token in the credential file
        tokenUrl - the Security Token Service token exchange endpoint
        tokenInfoUrl - the endpoint used to retrieve account related information. Required for gCloud session account identification.
        credentialSource - the external credential source
        serviceAccountImpersonationUrl - the URL for the service account impersonation request. This URL is required for some APIs. If this URL is not available, the access token from the Security Token Service is used directly. May be null.
        quotaProjectId - the project used for quota and billing purposes. May be null.
        clientId - client ID of the service account from the console. May be null.
        clientSecret - client secret of the service account from the console. May be null.
        scopes - the scopes to request during the authorization grant. May be null.
        environmentProvider - the environment provider. May be null. Defaults to SystemEnvironmentProvider.
    • Method Detail

      • getRequestMetadata

        public void getRequestMetadata​(java.net.URI uri,
                                       java.util.concurrent.Executor executor,
                                       RequestMetadataCallback callback)
        Description copied from class: Credentials
        Get the current request metadata without blocking.

        This should be called by the transport layer on each request, and the data should be populated in headers or other context. The implementation can either call the callback inline or asynchronously. Either way it should never block in this method. The executor is provided for tasks that may block.

        The default implementation will just call Credentials.getRequestMetadata(URI) then the callback from the given executor.

        The convention for handling binary data is for the key in the returned map to end with "-bin" and for the corresponding values to be base64 encoded.

        Overrides:
        getRequestMetadata in class OAuth2Credentials
        Parameters:
        uri - URI of the entry point for the request.
        executor - Executor to perform the request.
        callback - Callback to execute when the request is finished.
      • getUniverseDomain

        public java.lang.String getUniverseDomain()
        Description copied from class: GoogleCredentials
        Gets the universe domain for the credential.
        Overrides:
        getUniverseDomain in class GoogleCredentials
        Returns:
        An explicit universe domain if it was explicitly provided, invokes the super implementation otherwise
      • getRequestMetadata

        public java.util.Map<java.lang.String,​java.util.List<java.lang.String>> getRequestMetadata​(java.net.URI uri)
                                                                                                  throws java.io.IOException
        Description copied from class: OAuth2Credentials
        Provide the request metadata by ensuring there is a current access token and providing it as an authorization bearer token.
        Overrides:
        getRequestMetadata in class OAuth2Credentials
        Parameters:
        uri - URI of the entry point for the request.
        Returns:
        The request metadata used for populating headers or other context.
        Throws:
        java.io.IOException - if there was an error getting up-to-date access. The exception should implement Retryable and isRetryable() will return true if the operation may be retried.
      • fromStream

        public static ExternalAccountCredentials fromStream​(java.io.InputStream credentialsStream)
                                                     throws java.io.IOException
        Returns credentials defined by a JSON file stream.

        Returns IdentityPoolCredentials or AwsCredentials.

        Parameters:
        credentialsStream - the stream with the credential definition
        Returns:
        the credential defined by the credentialsStream
        Throws:
        java.io.IOException - if the credential cannot be created from the stream
      • fromStream

        public static ExternalAccountCredentials fromStream​(java.io.InputStream credentialsStream,
                                                            HttpTransportFactory transportFactory)
                                                     throws java.io.IOException
        Returns credentials defined by a JSON file stream.

        Returns a IdentityPoolCredentials or AwsCredentials.

        Parameters:
        credentialsStream - the stream with the credential definition
        transportFactory - the HTTP transport factory used to create the transport to get access tokens
        Returns:
        the credential defined by the credentialsStream
        Throws:
        java.io.IOException - if the credential cannot be created from the stream
      • fromJson

        static ExternalAccountCredentials fromJson​(java.util.Map<java.lang.String,​java.lang.Object> json,
                                                   HttpTransportFactory transportFactory)
        Returns external account credentials defined by JSON using the format generated by gCloud.
        Parameters:
        json - a map from the JSON representing the credentials
        transportFactory - HTTP transport factory, creates the transport used to get access tokens
        Returns:
        the credentials defined by the JSON
      • isPluggableAuthCredential

        private static boolean isPluggableAuthCredential​(java.util.Map<java.lang.String,​java.lang.Object> credentialSource)
      • isAwsCredential

        private static boolean isAwsCredential​(java.util.Map<java.lang.String,​java.lang.Object> credentialSource)
      • shouldBuildImpersonatedCredential

        private boolean shouldBuildImpersonatedCredential()
      • exchangeExternalCredentialForAccessToken

        protected AccessToken exchangeExternalCredentialForAccessToken​(StsTokenExchangeRequest stsTokenExchangeRequest)
                                                                throws java.io.IOException
        Exchanges the external credential for a Google Cloud access token.
        Parameters:
        stsTokenExchangeRequest - the Security Token Service token exchange request
        Returns:
        the access token returned by the Security Token Service
        Throws:
        OAuthException - if the call to the Security Token Service fails
        java.io.IOException
      • retrieveSubjectToken

        public abstract java.lang.String retrieveSubjectToken()
                                                       throws java.io.IOException
        Retrieves the external subject token to be exchanged for a Google Cloud access token.

        Must be implemented by subclasses as the retrieval method is dependent on the credential source.

        Returns:
        the external subject token
        Throws:
        java.io.IOException - if the subject token cannot be retrieved
      • getAudience

        public java.lang.String getAudience()
      • getSubjectTokenType

        public java.lang.String getSubjectTokenType()
      • getTokenUrl

        public java.lang.String getTokenUrl()
      • getTokenInfoUrl

        public java.lang.String getTokenInfoUrl()
      • readObject

        private void readObject​(java.io.ObjectInputStream input)
                         throws java.io.IOException,
                                java.lang.ClassNotFoundException
        Throws:
        java.io.IOException
        java.lang.ClassNotFoundException
      • getServiceAccountImpersonationUrl

        @Nullable
        public java.lang.String getServiceAccountImpersonationUrl()
      • getServiceAccountEmail

        @Nullable
        public java.lang.String getServiceAccountEmail()
        Returns:
        The service account email to be impersonated, if available
      • getClientId

        @Nullable
        public java.lang.String getClientId()
      • getClientSecret

        @Nullable
        public java.lang.String getClientSecret()
      • getScopes

        @Nullable
        public java.util.Collection<java.lang.String> getScopes()
      • getWorkforcePoolUserProject

        @Nullable
        public java.lang.String getWorkforcePoolUserProject()
      • getCredentialSourceType

        java.lang.String getCredentialSourceType()
      • isWorkforcePoolConfiguration

        public boolean isWorkforcePoolConfiguration()
        Returns:
        whether the current configuration is for Workforce Pools (which enable 3p user identities, rather than workloads)
      • validateTokenUrl

        static void validateTokenUrl​(java.lang.String tokenUrl)
      • validateServiceAccountImpersonationInfoUrl

        static void validateServiceAccountImpersonationInfoUrl​(java.lang.String serviceAccountImpersonationUrl)
      • isValidUrl

        private static boolean isValidUrl​(java.lang.String url)
        Returns true if the provided URL's scheme is valid and is HTTPS.