Class ComputeEngineCredentials

    • Field Detail

      • COMPUTE_EXPIRATION_MARGIN

        static final java.time.Duration COMPUTE_EXPIRATION_MARGIN
      • COMPUTE_REFRESH_MARGIN

        static final java.time.Duration COMPUTE_REFRESH_MARGIN
      • LOGGER

        private static final java.util.logging.Logger LOGGER
      • DEFAULT_METADATA_SERVER_URL

        static final java.lang.String DEFAULT_METADATA_SERVER_URL
        See Also:
        Constant Field Values
      • SIGN_BLOB_URL_FORMAT

        static final java.lang.String SIGN_BLOB_URL_FORMAT
        See Also:
        Constant Field Values
      • COMPUTE_PING_CONNECTION_TIMEOUT_MS

        static final int COMPUTE_PING_CONNECTION_TIMEOUT_MS
        See Also:
        Constant Field Values
      • PARSE_ERROR_PREFIX

        private static final java.lang.String PARSE_ERROR_PREFIX
        See Also:
        Constant Field Values
      • PARSE_ERROR_ACCOUNT

        private static final java.lang.String PARSE_ERROR_ACCOUNT
        See Also:
        Constant Field Values
      • transportFactoryClassName

        private final java.lang.String transportFactoryClassName
      • scopes

        private final java.util.Collection<java.lang.String> scopes
      • serviceAccountEmail

        private transient java.lang.String serviceAccountEmail
      • universeDomainFromMetadata

        private java.lang.String universeDomainFromMetadata
    • Method Detail

      • getMetricsCredentialType

        public CredentialTypeForMetrics getMetricsCredentialType()
        Description copied from class: Credentials
        Gets the credential type used for internal metrics header.

        The default is CredentialTypeForMetrics.DO_NOT_SEND. For a credential that is established to track for metrics, this default should be overridden.

        Overrides:
        getMetricsCredentialType in class Credentials
        Returns:
        a enum value for credential type
      • createScoped

        public GoogleCredentials createScoped​(java.util.Collection<java.lang.String> newScopes)
        Clones the compute engine account with the specified scopes.
        Overrides:
        createScoped in class GoogleCredentials
        Parameters:
        newScopes - Collection of scopes to request.
        Returns:
        GoogleCredentials with requested scopes.
      • createScoped

        public GoogleCredentials createScoped​(java.util.Collection<java.lang.String> newScopes,
                                              java.util.Collection<java.lang.String> newDefaultScopes)
        Clones the compute engine account with the specified scopes and default scopes.
        Overrides:
        createScoped in class GoogleCredentials
        Parameters:
        newScopes - Collection of scopes to request.
        newDefaultScopes - Collection of default scopes to request.
        Returns:
        GoogleCredentials with requested scopes.
      • create

        public static ComputeEngineCredentials create()
        Create a new ComputeEngineCredentials instance with default behavior.
        Returns:
        new ComputeEngineCredentials
      • getScopes

        public final java.util.Collection<java.lang.String> getScopes()
      • createTokenUrlWithScopes

        java.lang.String createTokenUrlWithScopes()
        If scopes is specified, add "?scopes=comma-separated-list-of-scopes" to the token url.
        Returns:
        token url with the given scopes
      • getUniverseDomain

        public java.lang.String getUniverseDomain()
                                           throws java.io.IOException
        Gets the universe domain from the GCE metadata server.

        Returns an explicit universe domain if it was provided during credential initialization.

        Returns the Credentials.GOOGLE_DEFAULT_UNIVERSE if universe domain endpoint is not found (404) or returns an empty string.

        Otherwise, returns universe domain from GCE metadata service.

        Any above value is cached for the credential lifetime.

        Overrides:
        getUniverseDomain in class GoogleCredentials
        Returns:
        string representing a universe domain in the format some-domain.xyz
        Throws:
        java.io.IOException - if a call to GCE metadata service was unsuccessful. Check if exception implements the Retryable and isRetryable() will return true if the operation may be retried.
      • getUniverseDomainFromMetadata

        private java.lang.String getUniverseDomainFromMetadata()
                                                        throws java.io.IOException
        Throws:
        java.io.IOException
      • refreshAccessToken

        public AccessToken refreshAccessToken()
                                       throws java.io.IOException
        Refresh the access token by getting it from the GCE metadata server
        Overrides:
        refreshAccessToken in class OAuth2Credentials
        Returns:
        never
        Throws:
        java.io.IOException
      • idTokenWithAudience

        public IdToken idTokenWithAudience​(java.lang.String targetAudience,
                                           java.util.List<IdTokenProvider.Option> options)
                                    throws java.io.IOException
        Returns a Google ID Token from the metadata server on ComputeEngine
        Specified by:
        idTokenWithAudience in interface IdTokenProvider
        Parameters:
        targetAudience - the aud: field the IdToken should include
        options - list of Credential specific options for the token. For example, an IDToken for a ComputeEngineCredential could have the full formatted claims returned if IdTokenProvider.Option.FORMAT_FULL) is provided as a list option. Valid option values are:
        IdTokenProvider.Option.FORMAT_FULL
        IdTokenProvider.Option.LICENSES_TRUE
        If no options are set, the defaults are "&format=standard&licenses=false"
        Returns:
        IdToken object which includes the raw id_token, JsonWebSignature
        Throws:
        java.io.IOException - if the attempt to get an IdToken failed
      • getMetadataResponse

        private com.google.api.client.http.HttpResponse getMetadataResponse​(java.lang.String url,
                                                                            MetricsUtils.RequestType requestType,
                                                                            boolean shouldSendMetricsHeader)
                                                                     throws java.io.IOException
        Throws:
        java.io.IOException
      • isOnGce

        static boolean isOnGce​(HttpTransportFactory transportFactory,
                               DefaultCredentialsProvider provider)
        Implements an algorithm to detect whether the code is running on Google Compute Environment (GCE) or equivalent runtime. See AIP-4115 for more details The algorithm consists of active and passive checks:
        Active: to check that GCE Metadata service is present by sending a http request to send a request to ComputeEngineCredentials.DEFAULT_METADATA_SERVER_URL

        Passive: to check if SMBIOS variable is present and contains expected value. This step is platform specific:

        For Linux: check if the file "/sys/class/dmi/id/product_name" exists and contains a line that starts with Google.

        For Windows: to be implemented

        Other platforms: not supported

        This algorithm can be disabled with environment variable DefaultCredentialsProvider.NO_GCE_CHECK_ENV_VAR set to true. In this case, the algorithm will always return false Returns true if currently running on Google Compute Environment (GCE) or equivalent runtime. Returns false if detection fails, platform is not supported or if detection disabled using the environment variable.

      • checkProductNameOnLinux

        static boolean checkProductNameOnLinux​(java.io.BufferedReader reader)
                                        throws java.io.IOException
        Throws:
        java.io.IOException
      • getMetadataServerUrl

        public static java.lang.String getMetadataServerUrl()
      • getTokenServerEncodedUrl

        public static java.lang.String getTokenServerEncodedUrl()
      • getUniverseDomainUrl

        public static java.lang.String getUniverseDomainUrl()
      • getServiceAccountsUrl

        public static java.lang.String getServiceAccountsUrl()
      • getIdentityDocumentUrl

        public static java.lang.String getIdentityDocumentUrl()
      • toStringHelper

        protected com.google.common.base.MoreObjects.ToStringHelper toStringHelper()
        Description copied from class: GoogleCredentials
        A helper for overriding the toString() method. This allows inheritance of super class fields. Extending classes can override this implementation and call super implementation and add more fields. Same cannot be done with overriding the toString() directly.
        Overrides:
        toStringHelper in class GoogleCredentials
        Returns:
        an instance of the ToStringHelper that has public fields added
      • readObject

        private void readObject​(java.io.ObjectInputStream input)
                         throws java.io.IOException,
                                java.lang.ClassNotFoundException
        Throws:
        java.io.IOException
        java.lang.ClassNotFoundException
      • getAccount

        public java.lang.String getAccount()
        Returns the email address associated with the GCE default service account.
        Specified by:
        getAccount in interface ServiceAccountSigner
        Returns:
        The service account associated with the signer.
        Throws:
        java.lang.RuntimeException - if the default service account cannot be read
      • sign

        public byte[] sign​(byte[] toSign)
        Signs the provided bytes using the private key associated with the service account.

        The Compute Engine's project must enable the Identity and Access Management (IAM) API and the instance's service account must have the iam.serviceAccounts.signBlob permission.

        Specified by:
        sign in interface ServiceAccountSigner
        Parameters:
        toSign - bytes to sign
        Returns:
        signed bytes
        Throws:
        ServiceAccountSigner.SigningException - if the attempt to sign the provided bytes failed
        See Also:
        Blob Signing
      • getDefaultServiceAccount

        private java.lang.String getDefaultServiceAccount()
                                                   throws java.io.IOException
        Throws:
        java.io.IOException