Class ComputeEngineCredentials

All Implemented Interfaces:
IdTokenProvider, QuotaProjectIdProvider, ServiceAccountSigner, Serializable

public class ComputeEngineCredentials extends GoogleCredentials implements ServiceAccountSigner, IdTokenProvider
OAuth2 credentials representing the built-in service account for a Google Compute Engine VM.

Fetches access tokens from the Google Compute Engine metadata server.

These credentials use the IAM API to sign data. See sign(byte[]) for more details.

See Also:
  • Field Details

  • Constructor Details

  • Method Details

    • getMetricsCredentialType

      public CredentialTypeForMetrics getMetricsCredentialType()
      Description copied from class: Credentials
      Gets the credential type used for internal metrics header.

      The default is CredentialTypeForMetrics.DO_NOT_SEND. For a credential that is established to track for metrics, this default should be overridden.

      Overrides:
      getMetricsCredentialType in class Credentials
      Returns:
      a enum value for credential type
    • createScoped

      public GoogleCredentials createScoped(Collection<String> newScopes)
      Clones the compute engine account with the specified scopes.
      Overrides:
      createScoped in class GoogleCredentials
      Parameters:
      newScopes - Collection of scopes to request.
      Returns:
      GoogleCredentials with requested scopes.
    • createScoped

      public GoogleCredentials createScoped(Collection<String> newScopes, Collection<String> newDefaultScopes)
      Clones the compute engine account with the specified scopes and default scopes.
      Overrides:
      createScoped in class GoogleCredentials
      Parameters:
      newScopes - Collection of scopes to request.
      newDefaultScopes - Collection of default scopes to request.
      Returns:
      GoogleCredentials with requested scopes.
    • create

      public static ComputeEngineCredentials create()
      Create a new ComputeEngineCredentials instance with default behavior.
      Returns:
      new ComputeEngineCredentials
    • getScopes

      public final Collection<String> getScopes()
    • createTokenUrlWithScopes

      String createTokenUrlWithScopes()
      If scopes is specified, add "?scopes=comma-separated-list-of-scopes" to the token url.
      Returns:
      token url with the given scopes
    • getUniverseDomain

      public String getUniverseDomain() throws IOException
      Gets the universe domain from the GCE metadata server.

      Returns an explicit universe domain if it was provided during credential initialization.

      Returns the Credentials.GOOGLE_DEFAULT_UNIVERSE if universe domain endpoint is not found (404) or returns an empty string.

      Otherwise, returns universe domain from GCE metadata service.

      Any above value is cached for the credential lifetime.

      Overrides:
      getUniverseDomain in class GoogleCredentials
      Returns:
      string representing a universe domain in the format some-domain.xyz
      Throws:
      IOException - if a call to GCE metadata service was unsuccessful. Check if exception implements the Retryable and isRetryable() will return true if the operation may be retried.
    • getUniverseDomainFromMetadata

      private String getUniverseDomainFromMetadata() throws IOException
      Throws:
      IOException
    • refreshAccessToken

      public AccessToken refreshAccessToken() throws IOException
      Refresh the access token by getting it from the GCE metadata server
      Overrides:
      refreshAccessToken in class OAuth2Credentials
      Returns:
      never
      Throws:
      IOException
    • idTokenWithAudience

      public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options) throws IOException
      Returns a Google ID Token from the metadata server on ComputeEngine
      Specified by:
      idTokenWithAudience in interface IdTokenProvider
      Parameters:
      targetAudience - the aud: field the IdToken should include
      options - list of Credential specific options for the token. For example, an IDToken for a ComputeEngineCredential could have the full formatted claims returned if IdTokenProvider.Option.FORMAT_FULL) is provided as a list option. Valid option values are:
      IdTokenProvider.Option.FORMAT_FULL
      IdTokenProvider.Option.LICENSES_TRUE
      If no options are set, the defaults are "&format=standard&licenses=false"
      Returns:
      IdToken object which includes the raw id_token, JsonWebSignature
      Throws:
      IOException - if the attempt to get an IdToken failed
    • getMetadataResponse

      private com.google.api.client.http.HttpResponse getMetadataResponse(String url, MetricsUtils.RequestType requestType, boolean shouldSendMetricsHeader) throws IOException
      Throws:
      IOException
    • isOnGce

      static boolean isOnGce(HttpTransportFactory transportFactory, DefaultCredentialsProvider provider)
      Implements an algorithm to detect whether the code is running on Google Compute Environment (GCE) or equivalent runtime. See AIP-4115 for more details The algorithm consists of active and passive checks:
      Active: to check that GCE Metadata service is present by sending a http request to send a request to ComputeEngineCredentials.DEFAULT_METADATA_SERVER_URL

      Passive: to check if SMBIOS variable is present and contains expected value. This step is platform specific:

      For Linux: check if the file "/sys/class/dmi/id/product_name" exists and contains a line that starts with Google.

      For Windows: to be implemented

      Other platforms: not supported

      This algorithm can be disabled with environment variable DefaultCredentialsProvider.NO_GCE_CHECK_ENV_VAR set to true. In this case, the algorithm will always return false Returns true if currently running on Google Compute Environment (GCE) or equivalent runtime. Returns false if detection fails, platform is not supported or if detection disabled using the environment variable.

    • checkProductNameOnLinux

      static boolean checkProductNameOnLinux(BufferedReader reader) throws IOException
      Throws:
      IOException
    • checkStaticGceDetection

      static boolean checkStaticGceDetection(DefaultCredentialsProvider provider)
    • pingComputeEngineMetadata

      private static boolean pingComputeEngineMetadata(HttpTransportFactory transportFactory, DefaultCredentialsProvider provider)
    • getMetadataServerUrl

      public static String getMetadataServerUrl(DefaultCredentialsProvider provider)
    • getMetadataServerUrl

      public static String getMetadataServerUrl()
    • getTokenServerEncodedUrl

      public static String getTokenServerEncodedUrl(DefaultCredentialsProvider provider)
    • getTokenServerEncodedUrl

      public static String getTokenServerEncodedUrl()
    • getUniverseDomainUrl

      public static String getUniverseDomainUrl()
    • getServiceAccountsUrl

      public static String getServiceAccountsUrl()
    • getIdentityDocumentUrl

      public static String getIdentityDocumentUrl()
    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class GoogleCredentials
    • toStringHelper

      protected com.google.common.base.MoreObjects.ToStringHelper toStringHelper()
      Description copied from class: GoogleCredentials
      A helper for overriding the toString() method. This allows inheritance of super class fields. Extending classes can override this implementation and call super implementation and add more fields. Same cannot be done with overriding the toString() directly.
      Overrides:
      toStringHelper in class GoogleCredentials
      Returns:
      an instance of the ToStringHelper that has public fields added
    • equals

      public boolean equals(Object obj)
      Overrides:
      equals in class GoogleCredentials
    • readObject

      private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException
      Throws:
      IOException
      ClassNotFoundException
    • toBuilder

      Overrides:
      toBuilder in class GoogleCredentials
    • newBuilder

      public static ComputeEngineCredentials.Builder newBuilder()
    • getAccount

      public String getAccount()
      Returns the email address associated with the GCE default service account.
      Specified by:
      getAccount in interface ServiceAccountSigner
      Returns:
      The service account associated with the signer.
      Throws:
      RuntimeException - if the default service account cannot be read
    • sign

      public byte[] sign(byte[] toSign)
      Signs the provided bytes using the private key associated with the service account.

      The Compute Engine's project must enable the Identity and Access Management (IAM) API and the instance's service account must have the iam.serviceAccounts.signBlob permission.

      Specified by:
      sign in interface ServiceAccountSigner
      Parameters:
      toSign - bytes to sign
      Returns:
      signed bytes
      Throws:
      ServiceAccountSigner.SigningException - if the attempt to sign the provided bytes failed
      See Also:
    • getDefaultServiceAccount

      private String getDefaultServiceAccount() throws IOException
      Throws:
      IOException