Class ExternalAccountCredentials

All Implemented Interfaces:
QuotaProjectIdProvider, Serializable
Direct Known Subclasses:
AwsCredentials, IdentityPoolCredentials, PluggableAuthCredentials

public abstract class ExternalAccountCredentials extends GoogleCredentials
Base external account credentials class.

Handles initializing external credentials, calls to the Security Token Service, and service account impersonation.

See Also:
  • Field Details

  • Constructor Details

    • ExternalAccountCredentials

      protected ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, @Nullable String tokenInfoUrl, @Nullable String serviceAccountImpersonationUrl, @Nullable String quotaProjectId, @Nullable String clientId, @Nullable String clientSecret, @Nullable Collection<String> scopes)
      Constructor with minimum identifying information and custom HTTP transport. Does not support workforce credentials.
      Parameters:
      transportFactory - HTTP transport factory, creates the transport used to get access tokens
      audience - the Security Token Service audience, which is usually the fully specified resource name of the workload/workforce pool provider
      subjectTokenType - the Security Token Service subject token type based on the OAuth 2.0 token exchange spec. Indicates the type of the security token in the credential file
      tokenUrl - the Security Token Service token exchange endpoint
      credentialSource - the external credential source
      tokenInfoUrl - the endpoint used to retrieve account related information. Required for gCloud session account identification.
      serviceAccountImpersonationUrl - the URL for the service account impersonation request. This URL is required for some APIs. If this URL is not available, the access token from the Security Token Service is used directly. May be null.
      quotaProjectId - the project used for quota and billing purposes. May be null.
      clientId - client ID of the service account from the console. May be null.
      clientSecret - client secret of the service account from the console. May be null.
      scopes - the scopes to request during the authorization grant. May be null.
    • ExternalAccountCredentials

      protected ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, @Nullable String tokenInfoUrl, @Nullable String serviceAccountImpersonationUrl, @Nullable String quotaProjectId, @Nullable String clientId, @Nullable String clientSecret, @Nullable Collection<String> scopes, @Nullable EnvironmentProvider environmentProvider)
      Constructor with minimum identifying information and custom HTTP transport. Does not support workforce credentials.
      Parameters:
      transportFactory - HTTP transport factory, creates the transport used to get access tokens
      audience - the Security Token Service audience, which is usually the fully specified resource name of the workload/workforce pool provider
      subjectTokenType - the Security Token Service subject token type based on the OAuth 2.0 token exchange spec. Indicates the type of the security token in the credential file
      tokenUrl - the Security Token Service token exchange endpoint
      credentialSource - the external credential source
      tokenInfoUrl - the endpoint used to retrieve account related information. Required for gCloud session account identification.
      serviceAccountImpersonationUrl - the URL for the service account impersonation request. This URL is required for some APIs. If this URL is not available, the access token from the Security Token Service is used directly. May be null.
      quotaProjectId - the project used for quota and billing purposes. May be null.
      clientId - client ID of the service account from the console. May be null.
      clientSecret - client secret of the service account from the console. May be null.
      scopes - the scopes to request during the authorization grant. May be null.
      environmentProvider - the environment provider. May be null. Defaults to SystemEnvironmentProvider.
    • ExternalAccountCredentials

      protected ExternalAccountCredentials(ExternalAccountCredentials.Builder builder)
      Internal constructor with minimum identifying information and custom HTTP transport. See ExternalAccountCredentials.Builder.
      Parameters:
      builder - the Builder object used to construct the credentials.
  • Method Details

    • buildImpersonatedCredentials

      ImpersonatedCredentials buildImpersonatedCredentials()
    • getRequestMetadata

      public void getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)
      Description copied from class: Credentials
      Get the current request metadata without blocking.

      This should be called by the transport layer on each request, and the data should be populated in headers or other context. The implementation can either call the callback inline or asynchronously. Either way it should never block in this method. The executor is provided for tasks that may block.

      The default implementation will just call Credentials.getRequestMetadata(URI) then the callback from the given executor.

      The convention for handling binary data is for the key in the returned map to end with "-bin" and for the corresponding values to be base64 encoded.

      Overrides:
      getRequestMetadata in class OAuth2Credentials
      Parameters:
      uri - URI of the entry point for the request.
      executor - Executor to perform the request.
      callback - Callback to execute when the request is finished.
    • getUniverseDomain

      public String getUniverseDomain()
      Description copied from class: GoogleCredentials
      Gets the universe domain for the credential.
      Overrides:
      getUniverseDomain in class GoogleCredentials
      Returns:
      An explicit universe domain if it was explicitly provided, invokes the super implementation otherwise
    • getRequestMetadata

      public Map<String,List<String>> getRequestMetadata(URI uri) throws IOException
      Description copied from class: OAuth2Credentials
      Provide the request metadata by ensuring there is a current access token and providing it as an authorization bearer token.
      Overrides:
      getRequestMetadata in class OAuth2Credentials
      Parameters:
      uri - URI of the entry point for the request.
      Returns:
      The request metadata used for populating headers or other context.
      Throws:
      IOException - if there was an error getting up-to-date access. The exception should implement Retryable and isRetryable() will return true if the operation may be retried.
    • fromStream

      public static ExternalAccountCredentials fromStream(InputStream credentialsStream) throws IOException
      Returns credentials defined by a JSON file stream.

      Returns IdentityPoolCredentials or AwsCredentials.

      Parameters:
      credentialsStream - the stream with the credential definition
      Returns:
      the credential defined by the credentialsStream
      Throws:
      IOException - if the credential cannot be created from the stream
    • fromStream

      public static ExternalAccountCredentials fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory) throws IOException
      Returns credentials defined by a JSON file stream.

      Returns a IdentityPoolCredentials or AwsCredentials.

      Parameters:
      credentialsStream - the stream with the credential definition
      transportFactory - the HTTP transport factory used to create the transport to get access tokens
      Returns:
      the credential defined by the credentialsStream
      Throws:
      IOException - if the credential cannot be created from the stream
    • fromJson

      static ExternalAccountCredentials fromJson(Map<String,Object> json, HttpTransportFactory transportFactory)
      Returns external account credentials defined by JSON using the format generated by gCloud.
      Parameters:
      json - a map from the JSON representing the credentials
      transportFactory - HTTP transport factory, creates the transport used to get access tokens
      Returns:
      the credentials defined by the JSON
    • isPluggableAuthCredential

      private static boolean isPluggableAuthCredential(Map<String,Object> credentialSource)
    • isAwsCredential

      private static boolean isAwsCredential(Map<String,Object> credentialSource)
    • shouldBuildImpersonatedCredential

      private boolean shouldBuildImpersonatedCredential()
    • exchangeExternalCredentialForAccessToken

      protected AccessToken exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest stsTokenExchangeRequest) throws IOException
      Exchanges the external credential for a Google Cloud access token.
      Parameters:
      stsTokenExchangeRequest - the Security Token Service token exchange request
      Returns:
      the access token returned by the Security Token Service
      Throws:
      OAuthException - if the call to the Security Token Service fails
      IOException
    • retrieveSubjectToken

      public abstract String retrieveSubjectToken() throws IOException
      Retrieves the external subject token to be exchanged for a Google Cloud access token.

      Must be implemented by subclasses as the retrieval method is dependent on the credential source.

      Returns:
      the external subject token
      Throws:
      IOException - if the subject token cannot be retrieved
    • getAudience

      public String getAudience()
    • getSubjectTokenType

      public String getSubjectTokenType()
    • getTokenUrl

      public String getTokenUrl()
    • getTokenInfoUrl

      public String getTokenInfoUrl()
    • getCredentialSource

      public ExternalAccountCredentials.CredentialSource getCredentialSource()
    • readObject

      private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException
      Throws:
      IOException
      ClassNotFoundException
    • getServiceAccountImpersonationUrl

      @Nullable public String getServiceAccountImpersonationUrl()
    • getServiceAccountEmail

      @Nullable public String getServiceAccountEmail()
      Returns:
      The service account email to be impersonated, if available
    • getClientId

      @Nullable public String getClientId()
    • getClientSecret

      @Nullable public String getClientSecret()
    • getScopes

      @Nullable public Collection<String> getScopes()
    • getWorkforcePoolUserProject

      @Nullable public String getWorkforcePoolUserProject()
    • getServiceAccountImpersonationOptions

      @Nullable public ExternalAccountCredentials.ServiceAccountImpersonationOptions getServiceAccountImpersonationOptions()
    • getCredentialSourceType

      String getCredentialSourceType()
    • getEnvironmentProvider

      EnvironmentProvider getEnvironmentProvider()
    • isWorkforcePoolConfiguration

      public boolean isWorkforcePoolConfiguration()
      Returns:
      whether the current configuration is for Workforce Pools (which enable 3p user identities, rather than workloads)
    • validateTokenUrl

      static void validateTokenUrl(String tokenUrl)
    • validateServiceAccountImpersonationInfoUrl

      static void validateServiceAccountImpersonationInfoUrl(String serviceAccountImpersonationUrl)
    • isValidUrl

      private static boolean isValidUrl(String url)
      Returns true if the provided URL's scheme is valid and is HTTPS.