Class ServiceAccountCredentials

    • Field Detail

      • PARSE_ERROR_PREFIX

        private static final java.lang.String PARSE_ERROR_PREFIX
        See Also:
        Constant Field Values
      • TWELVE_HOURS_IN_SECONDS

        private static final int TWELVE_HOURS_IN_SECONDS
        See Also:
        Constant Field Values
      • DEFAULT_LIFETIME_IN_SECONDS

        private static final int DEFAULT_LIFETIME_IN_SECONDS
        See Also:
        Constant Field Values
      • clientId

        private final java.lang.String clientId
      • clientEmail

        private final java.lang.String clientEmail
      • privateKey

        private final java.security.PrivateKey privateKey
      • privateKeyId

        private final java.lang.String privateKeyId
      • serviceAccountUser

        private final java.lang.String serviceAccountUser
      • projectId

        private final java.lang.String projectId
      • transportFactoryClassName

        private final java.lang.String transportFactoryClassName
      • tokenServerUri

        private final java.net.URI tokenServerUri
      • scopes

        private final java.util.Collection<java.lang.String> scopes
      • defaultScopes

        private final java.util.Collection<java.lang.String> defaultScopes
      • lifetime

        private final int lifetime
      • useJwtAccessWithScope

        private final boolean useJwtAccessWithScope
      • defaultRetriesEnabled

        private final boolean defaultRetriesEnabled
      • selfSignedJwtCredentialsWithScope

        private transient JwtCredentials selfSignedJwtCredentialsWithScope
    • Method Detail

      • fromJson

        static ServiceAccountCredentials fromJson​(java.util.Map<java.lang.String,​java.lang.Object> json,
                                                  HttpTransportFactory transportFactory)
                                           throws java.io.IOException
        Returns service account credentials defined by JSON using the format supported by the Google Developers Console.
        Parameters:
        json - a map from the JSON representing the credentials.
        transportFactory - HTTP transport factory, creates the transport used to get access tokens.
        Returns:
        the credentials defined by the JSON.
        Throws:
        java.io.IOException - if the credential cannot be created from the JSON.
      • fromPkcs8

        public static ServiceAccountCredentials fromPkcs8​(java.lang.String clientId,
                                                          java.lang.String clientEmail,
                                                          java.lang.String privateKeyPkcs8,
                                                          java.lang.String privateKeyId,
                                                          java.util.Collection<java.lang.String> scopes)
                                                   throws java.io.IOException
        Factory with minimum identifying information using PKCS#8 for the private key.
        Parameters:
        clientId - Client ID of the service account from the console. May be null.
        clientEmail - Client email address of the service account from the console.
        privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.
        privateKeyId - Private key identifier for the service account. May be null.
        scopes - Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.
        Returns:
        New ServiceAccountCredentials created from a private key.
        Throws:
        java.io.IOException - if the credential cannot be created from the private key.
      • fromPkcs8

        public static ServiceAccountCredentials fromPkcs8​(java.lang.String clientId,
                                                          java.lang.String clientEmail,
                                                          java.lang.String privateKeyPkcs8,
                                                          java.lang.String privateKeyId,
                                                          java.util.Collection<java.lang.String> scopes,
                                                          java.util.Collection<java.lang.String> defaultScopes)
                                                   throws java.io.IOException
        Factory with minimum identifying information using PKCS#8 for the private key.
        Parameters:
        clientId - client ID of the service account from the console. May be null.
        clientEmail - client email address of the service account from the console
        privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.
        privateKeyId - private key identifier for the service account. May be null.
        scopes - scope strings for the APIs to be called. May be null or an empty collection.
        defaultScopes - default scope strings for the APIs to be called. May be null or an empty.
        Returns:
        new ServiceAccountCredentials created from a private key
        Throws:
        java.io.IOException - if the credential cannot be created from the private key
      • fromPkcs8

        public static ServiceAccountCredentials fromPkcs8​(java.lang.String clientId,
                                                          java.lang.String clientEmail,
                                                          java.lang.String privateKeyPkcs8,
                                                          java.lang.String privateKeyId,
                                                          java.util.Collection<java.lang.String> scopes,
                                                          HttpTransportFactory transportFactory,
                                                          java.net.URI tokenServerUri)
                                                   throws java.io.IOException
        Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
        Parameters:
        clientId - Client ID of the service account from the console. May be null.
        clientEmail - Client email address of the service account from the console.
        privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.
        privateKeyId - Private key identifier for the service account. May be null.
        scopes - Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.
        transportFactory - HTTP transport factory, creates the transport used to get access tokens.
        tokenServerUri - URI of the end point that provides tokens.
        Returns:
        New ServiceAccountCredentials created from a private key.
        Throws:
        java.io.IOException - if the credential cannot be created from the private key.
      • fromPkcs8

        public static ServiceAccountCredentials fromPkcs8​(java.lang.String clientId,
                                                          java.lang.String clientEmail,
                                                          java.lang.String privateKeyPkcs8,
                                                          java.lang.String privateKeyId,
                                                          java.util.Collection<java.lang.String> scopes,
                                                          java.util.Collection<java.lang.String> defaultScopes,
                                                          HttpTransportFactory transportFactory,
                                                          java.net.URI tokenServerUri)
                                                   throws java.io.IOException
        Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
        Parameters:
        clientId - client ID of the service account from the console. May be null.
        clientEmail - client email address of the service account from the console
        privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.
        privateKeyId - private key identifier for the service account. May be null.
        scopes - scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.
        defaultScopes - default scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.
        transportFactory - HTTP transport factory, creates the transport used to get access tokens.
        tokenServerUri - URI of the end point that provides tokens
        Returns:
        new ServiceAccountCredentials created from a private key
        Throws:
        java.io.IOException - if the credential cannot be created from the private key
      • fromPkcs8

        public static ServiceAccountCredentials fromPkcs8​(java.lang.String clientId,
                                                          java.lang.String clientEmail,
                                                          java.lang.String privateKeyPkcs8,
                                                          java.lang.String privateKeyId,
                                                          java.util.Collection<java.lang.String> scopes,
                                                          HttpTransportFactory transportFactory,
                                                          java.net.URI tokenServerUri,
                                                          java.lang.String serviceAccountUser)
                                                   throws java.io.IOException
        Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
        Parameters:
        clientId - Client ID of the service account from the console. May be null.
        clientEmail - Client email address of the service account from the console.
        privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.
        privateKeyId - Private key identifier for the service account. May be null.
        scopes - Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.
        transportFactory - HTTP transport factory, creates the transport used to get access tokens.
        tokenServerUri - URI of the end point that provides tokens.
        serviceAccountUser - The email of the user account to impersonate, if delegating domain-wide authority to the service account.
        Returns:
        New ServiceAccountCredentials created from a private key.
        Throws:
        java.io.IOException - if the credential cannot be created from the private key.
      • fromPkcs8

        public static ServiceAccountCredentials fromPkcs8​(java.lang.String clientId,
                                                          java.lang.String clientEmail,
                                                          java.lang.String privateKeyPkcs8,
                                                          java.lang.String privateKeyId,
                                                          java.util.Collection<java.lang.String> scopes,
                                                          java.util.Collection<java.lang.String> defaultScopes,
                                                          HttpTransportFactory transportFactory,
                                                          java.net.URI tokenServerUri,
                                                          java.lang.String serviceAccountUser)
                                                   throws java.io.IOException
        Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
        Parameters:
        clientId - client ID of the service account from the console. May be null.
        clientEmail - client email address of the service account from the console
        privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.
        privateKeyId - private key identifier for the service account. May be null.
        scopes - scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.
        defaultScopes - default scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.
        transportFactory - HTTP transport factory, creates the transport used to get access tokens.
        tokenServerUri - URI of the end point that provides tokens
        serviceAccountUser - the email of the user account to impersonate, if delegating domain-wide authority to the service account.
        Returns:
        new ServiceAccountCredentials created from a private key
        Throws:
        java.io.IOException - if the credential cannot be created from the private key
      • fromStream

        public static ServiceAccountCredentials fromStream​(java.io.InputStream credentialsStream)
                                                    throws java.io.IOException
        Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.
        Parameters:
        credentialsStream - the stream with the credential definition.
        Returns:
        the credential defined by the credentialsStream.
        Throws:
        java.io.IOException - if the credential cannot be created from the stream.
      • fromStream

        public static ServiceAccountCredentials fromStream​(java.io.InputStream credentialsStream,
                                                           HttpTransportFactory transportFactory)
                                                    throws java.io.IOException
        Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.
        Parameters:
        credentialsStream - the stream with the credential definition.
        transportFactory - HTTP transport factory, creates the transport used to get access tokens.
        Returns:
        the credential defined by the credentialsStream.
        Throws:
        java.io.IOException - if the credential cannot be created from the stream.
      • createScopedRequired

        public boolean createScopedRequired()
        Returns whether the scopes are empty, meaning createScoped must be called before use.
        Overrides:
        createScopedRequired in class GoogleCredentials
        Returns:
        Whether the credentials require scopes to be specified.
      • isConfiguredForDomainWideDelegation

        boolean isConfiguredForDomainWideDelegation()
        Returns true if credential is configured domain wide delegation
      • refreshAccessToken

        public AccessToken refreshAccessToken()
                                       throws java.io.IOException
        Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).
        Overrides:
        refreshAccessToken in class OAuth2Credentials
        Returns:
        never
        Throws:
        java.io.IOException
      • idTokenWithAudience

        public IdToken idTokenWithAudience​(java.lang.String targetAudience,
                                           java.util.List<IdTokenProvider.Option> options)
                                    throws java.io.IOException
        Returns a Google ID Token from either the Oauth or IAM Endpoint. For Credentials that are in the Google Default Universe (googleapis.com), the ID Token will be retrieved from the Oauth Endpoint. Otherwise, it will be retrieved from the IAM Endpoint.
        Specified by:
        idTokenWithAudience in interface IdTokenProvider
        Parameters:
        targetAudience - the aud: field the IdToken should include.
        options - list of Credential specific options for the token. Currently, unused for ServiceAccountCredentials.
        Returns:
        IdToken object which includes the raw id_token, expiration and audience
        Throws:
        java.io.IOException - if the attempt to get an IdToken failed
      • getIdTokenOauthEndpoint

        private IdToken getIdTokenOauthEndpoint​(java.lang.String targetAudience)
                                         throws java.io.IOException
        Uses the Oauth Endpoint to generate an ID token. Assertions and grant_type are sent in the request body.
        Throws:
        java.io.IOException
      • getIdTokenIamEndpoint

        private IdToken getIdTokenIamEndpoint​(java.lang.String targetAudience)
                                       throws java.io.IOException
        Use IAM generateIdToken endpoint to obtain an ID token.

        This flow works as follows:

        1. Create a self-signed jwt with `https://www.googleapis.com/auth/iam` as the scope.
        2. Use the self-signed jwt as the access token, and make a POST request to IAM generateIdToken endpoint.
        3. If the request is successfully, it will return {"token":"the ID token"}. Extract the ID token.
        Throws:
        java.io.IOException
      • buildIdTokenRequest

        private com.google.api.client.http.HttpRequest buildIdTokenRequest​(java.net.URI uri,
                                                                           HttpTransportFactory transportFactory,
                                                                           com.google.api.client.http.HttpContent content)
                                                                    throws java.io.IOException
        Throws:
        java.io.IOException
      • executeRequest

        private com.google.api.client.http.HttpResponse executeRequest​(com.google.api.client.http.HttpRequest request)
                                                                throws java.io.IOException
        Throws:
        java.io.IOException
      • createWithCustomRetryStrategy

        public ServiceAccountCredentials createWithCustomRetryStrategy​(boolean defaultRetriesEnabled)
        Clones the service account with the specified default retries.
        Overrides:
        createWithCustomRetryStrategy in class GoogleCredentials
        Parameters:
        defaultRetriesEnabled - a flag enabling or disabling default retries
        Returns:
        GoogleCredentials with the specified retry configuration.
      • createScoped

        public GoogleCredentials createScoped​(java.util.Collection<java.lang.String> newScopes)
        Clones the service account with the specified scopes.

        Should be called before use for instances with empty scopes.

        Overrides:
        createScoped in class GoogleCredentials
        Parameters:
        newScopes - Collection of scopes to request.
        Returns:
        GoogleCredentials with requested scopes.
      • createScoped

        public GoogleCredentials createScoped​(java.util.Collection<java.lang.String> newScopes,
                                              java.util.Collection<java.lang.String> newDefaultScopes)
        Clones the service account with the specified scopes. The Access Token is invalidated even if the same scopes are provided. Access Tokens contain information of the internal values (i.e. scope). If an internal value (scope) is modified, then the existing Access Token is no longer valid and should not be re-used.

        Should be called before use for instances with empty scopes.

        Overrides:
        createScoped in class GoogleCredentials
        Parameters:
        newScopes - Collection of scopes to request.
        newDefaultScopes - Collection of default scopes to request.
        Returns:
        GoogleCredentials with requested scopes.
      • createWithCustomLifetime

        public ServiceAccountCredentials createWithCustomLifetime​(int lifetime)
        Clones the service account with a new lifetime value.
        Parameters:
        lifetime - life time value in seconds. The value should be at most 43200 (12 hours). If the token is used for calling a Google API, then the value should be at most 3600 (1 hour). If the given value is 0, then the default value 3600 will be used when creating the credentials.
        Returns:
        the cloned service account credentials with the given custom life time
      • createWithUseJwtAccessWithScope

        public ServiceAccountCredentials createWithUseJwtAccessWithScope​(boolean useJwtAccessWithScope)
        Clones the service account with a new useJwtAccessWithScope value. This flag will be ignored if universeDomain field is different from Credentials.GOOGLE_DEFAULT_UNIVERSE.
        Parameters:
        useJwtAccessWithScope - whether self-signed JWT with scopes should be used
        Returns:
        the cloned service account credentials with the given useJwtAccessWithScope
      • createDelegated

        public GoogleCredentials createDelegated​(java.lang.String user)
        Description copied from class: GoogleCredentials
        If the credentials support domain-wide delegation, creates a copy of the identity so that it impersonates the specified user; otherwise, returns the same instance.
        Overrides:
        createDelegated in class GoogleCredentials
        Parameters:
        user - User to impersonate.
        Returns:
        GoogleCredentials with a delegated user.
      • getClientId

        public final java.lang.String getClientId()
      • getClientEmail

        public final java.lang.String getClientEmail()
      • getPrivateKey

        public final java.security.PrivateKey getPrivateKey()
      • getPrivateKeyId

        public final java.lang.String getPrivateKeyId()
      • getScopes

        public final java.util.Collection<java.lang.String> getScopes()
      • getDefaultScopes

        public final java.util.Collection<java.lang.String> getDefaultScopes()
      • getServiceAccountUser

        public final java.lang.String getServiceAccountUser()
      • getProjectId

        public final java.lang.String getProjectId()
      • getTokenServerUri

        public final java.net.URI getTokenServerUri()
      • getIssuer

        private java.lang.String getIssuer()
      • getLifetime

        int getLifetime()
      • getUseJwtAccessWithScope

        public boolean getUseJwtAccessWithScope()
      • getSelfSignedJwtCredentialsWithScope

        JwtCredentials getSelfSignedJwtCredentialsWithScope()
      • getAccount

        public java.lang.String getAccount()
        Description copied from interface: ServiceAccountSigner
        Returns the service account associated with the signer.
        Specified by:
        getAccount in interface ServiceAccountSigner
        Returns:
        The service account associated with the signer.
      • sign

        public byte[] sign​(byte[] toSign)
        Description copied from interface: ServiceAccountSigner
        Signs the provided bytes using the private key associated with the service account.
        Specified by:
        sign in interface ServiceAccountSigner
        Parameters:
        toSign - bytes to sign
        Returns:
        signed bytes
      • jwtWithClaims

        public JwtCredentials jwtWithClaims​(JwtClaims newClaims)
        Returns a new JwtCredentials instance with modified claims.
        Specified by:
        jwtWithClaims in interface JwtProvider
        Parameters:
        newClaims - new claims. Any unspecified claim fields will default to the current values.
        Returns:
        new credentials
      • toStringHelper

        protected com.google.common.base.MoreObjects.ToStringHelper toStringHelper()
        Description copied from class: GoogleCredentials
        A helper for overriding the toString() method. This allows inheritance of super class fields. Extending classes can override this implementation and call super implementation and add more fields. Same cannot be done with overriding the toString() directly.
        Overrides:
        toStringHelper in class GoogleCredentials
        Returns:
        an instance of the ToStringHelper that has public fields added
      • createAssertion

        java.lang.String createAssertion​(com.google.api.client.json.JsonFactory jsonFactory,
                                         long currentTime)
                                  throws java.io.IOException
        Throws:
        java.io.IOException
      • createAssertionForIdToken

        java.lang.String createAssertionForIdToken​(long currentTime,
                                                   java.lang.String audience,
                                                   java.lang.String targetAudience)
                                            throws java.io.IOException
        Throws:
        java.io.IOException
      • getUriForSelfSignedJWT

        static java.net.URI getUriForSelfSignedJWT​(java.net.URI uri)
        Self-signed JWT uses uri as audience, which should have the "https://{host}/" format. For instance, if the uri is "https://compute.googleapis.com/compute/v1/projects/", then this function returns "https://compute.googleapis.com/".
      • createSelfSignedJwtCredentials

        JwtCredentials createSelfSignedJwtCredentials​(java.net.URI uri)
      • createSelfSignedJwtCredentials

        JwtCredentials createSelfSignedJwtCredentials​(java.net.URI uri,
                                                      java.util.Collection<java.lang.String> scopes)
      • getRequestMetadata

        public void getRequestMetadata​(java.net.URI uri,
                                       java.util.concurrent.Executor executor,
                                       RequestMetadataCallback callback)
        Description copied from class: Credentials
        Get the current request metadata without blocking.

        This should be called by the transport layer on each request, and the data should be populated in headers or other context. The implementation can either call the callback inline or asynchronously. Either way it should never block in this method. The executor is provided for tasks that may block.

        The default implementation will just call Credentials.getRequestMetadata(URI) then the callback from the given executor.

        The convention for handling binary data is for the key in the returned map to end with "-bin" and for the corresponding values to be base64 encoded.

        Overrides:
        getRequestMetadata in class OAuth2Credentials
        Parameters:
        uri - URI of the entry point for the request.
        executor - Executor to perform the request.
        callback - Callback to execute when the request is finished.
      • getRequestMetadata

        public java.util.Map<java.lang.String,​java.util.List<java.lang.String>> getRequestMetadata​(java.net.URI uri)
                                                                                                  throws java.io.IOException
        Provide the request metadata by putting an access JWT directly in the metadata.
        Overrides:
        getRequestMetadata in class OAuth2Credentials
        Parameters:
        uri - URI of the entry point for the request.
        Returns:
        The request metadata used for populating headers or other context.
        Throws:
        java.io.IOException - if there was an error getting up-to-date access. The exception should implement Retryable and isRetryable() will return true if the operation may be retried.
      • getMetricsCredentialType

        public CredentialTypeForMetrics getMetricsCredentialType()
        Description copied from class: Credentials
        Gets the credential type used for internal metrics header.

        The default is CredentialTypeForMetrics.DO_NOT_SEND. For a credential that is established to track for metrics, this default should be overridden.

        Overrides:
        getMetricsCredentialType in class Credentials
        Returns:
        a enum value for credential type
      • shouldUseAssertionFlowForGdu

        boolean shouldUseAssertionFlowForGdu()
      • getRequestMetadataForGdu

        private java.util.Map<java.lang.String,​java.util.List<java.lang.String>> getRequestMetadataForGdu​(java.net.URI uri)
                                                                                                         throws java.io.IOException
        Throws:
        java.io.IOException
      • getRequestMetadataForNonGdu

        private java.util.Map<java.lang.String,​java.util.List<java.lang.String>> getRequestMetadataForNonGdu​(java.net.URI uri)
                                                                                                            throws java.io.IOException
        Throws:
        java.io.IOException
      • getRequestMetadataWithSelfSignedJwt

        private java.util.Map<java.lang.String,​java.util.List<java.lang.String>> getRequestMetadataWithSelfSignedJwt​(java.net.URI uri)
                                                                                                                    throws java.io.IOException
        Provide the access JWT for scopes if provided, for uri as aud otherwise
        Throws:
        java.io.IOException
      • readObject

        private void readObject​(java.io.ObjectInputStream input)
                         throws java.io.IOException,
                                java.lang.ClassNotFoundException
        Throws:
        java.io.IOException
        java.lang.ClassNotFoundException