Class DownscopedCredentials

  • All Implemented Interfaces:
    java.io.Serializable

    public final class DownscopedCredentials
    extends OAuth2Credentials
    DownscopedCredentials enables the ability to downscope, or restrict, the Identity and Access Management (IAM) permissions that a short-lived credential can use for Cloud Storage.

    To downscope permissions you must define a CredentialAccessBoundary which specifies the upper bound of permissions that the credential can access. You must also provide a source credential which will be used to acquire the downscoped credential.

    See for more information.

    Usage:

    
     GoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault()
        .createScoped("https://www.googleapis.com/auth/cloud-platform");
    
     CredentialAccessBoundary.AccessBoundaryRule rule =
         CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
             .setAvailableResource(
                 "//storage.googleapis.com/projects/_/buckets/bucket")
             .addAvailablePermission("inRole:roles/storage.objectViewer")
             .build();
    
     DownscopedCredentials downscopedCredentials =
         DownscopedCredentials.newBuilder()
             .setSourceCredential(sourceCredentials)
             .setCredentialAccessBoundary(
                 CredentialAccessBoundary.newBuilder().addRule(rule).build())
             .build();
    
     AccessToken accessToken = downscopedCredentials.refreshAccessToken();
    
     OAuth2Credentials credentials = OAuth2Credentials.create(accessToken);
    
     Storage storage =
     StorageOptions.newBuilder().setCredentials(credentials).build().getService();
    
     Blob blob = storage.get(BlobId.of("bucket", "object"));
     System.out.printf("Blob %s retrieved.", blob.getBlobId());
     
    Note that OAuth2CredentialsWithRefresh can instead be used to consume the downscoped token, allowing for automatic token refreshes by providing a OAuth2CredentialsWithRefresh.OAuth2RefreshHandler.
    See Also:
    Serialized Form
    • Field Detail

      • TOKEN_EXCHANGE_URL_FORMAT

        private final java.lang.String TOKEN_EXCHANGE_URL_FORMAT
        See Also:
        Constant Field Values
      • universeDomain

        private final java.lang.String universeDomain
      • tokenExchangeEndpoint

        private final java.lang.String tokenExchangeEndpoint
    • Method Detail

      • refreshAccessToken

        public AccessToken refreshAccessToken()
                                       throws java.io.IOException
        Description copied from class: OAuth2Credentials
        Method to refresh the access token according to the specific type of credentials.

        Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.

        Overrides:
        refreshAccessToken in class OAuth2Credentials
        Returns:
        never
        Throws:
        java.io.IOException
      • getUniverseDomain

        public java.lang.String getUniverseDomain()
        Returns the universe domain for the credential.
        Overrides:
        getUniverseDomain in class Credentials
        Returns:
        An explicit universe domain if it was explicitly provided, otherwise the default Google universe will be returned.