com.google.auth.oauth2

Class ImpersonatedCredentials

java.lang.Object

com.google.auth.Credentials

com.google.auth.oauth2.OAuth2Credentials

com.google.auth.oauth2.GoogleCredentials

com.google.auth.oauth2.ImpersonatedCredentials

All Implemented Interfaces:

IdTokenProvider, ServiceAccountSigner, Serializable

public class ImpersonatedCredentials
extends GoogleCredentials
implements ServiceAccountSigner, IdTokenProvider

ImpersonatedCredentials allowing credentials issued to a user or service account to impersonate another.
The source project using ImpersonatedCredentials must enable the "IAMCredentials" API.
Also, the target service account must grant the orginating principal the "Service Account Token Creator" IAM role.
Usage:

 String credPath = "/path/to/svc_account.json";
 ServiceAccountCredentials sourceCredentials = ServiceAccountCredentials
     .fromStream(new FileInputStream(credPath));
 sourceCredentials = (ServiceAccountCredentials) sourceCredentials
     .createScoped(Arrays.asList("https://www.googleapis.com/auth/iam"));

 ImpersonatedCredentials targetCredentials = ImpersonatedCredentials.create(sourceCredentials,
     "impersonated-account@project.iam.gserviceaccount.com", null,
     Arrays.asList("https://www.googleapis.com/auth/devstorage.read_only"), 300);

 Storage storage_service = StorageOptions.newBuilder().setProjectId("project-id")
    .setCredentials(targetCredentials).build().getService();

 for (Bucket b : storage_service.list().iterateAll())
     System.out.println(b);
 

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	ImpersonatedCredentials.Builder

Nested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials

OAuth2Credentials.CredentialsChangedListener

Nested classes/interfaces inherited from interface com.google.auth.ServiceAccountSigner

ServiceAccountSigner.SigningException

Nested classes/interfaces inherited from interface com.google.auth.oauth2.IdTokenProvider

IdTokenProvider.Option

Method Summary

Modifier and Type	Method and Description
static ImpersonatedCredentials	create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime)
static ImpersonatedCredentials	create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime, HttpTransportFactory transportFactory)
boolean	equals(Object obj)
String	getAccount() Returns the email field of the serviceAccount that is being impersonated.
int	hashCode()
IdToken	idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options) Returns an IdToken for the current Credential.
static ImpersonatedCredentials.Builder	newBuilder()
AccessToken	refreshAccessToken() Method to refresh the access token according to the specific type of credentials.
byte[]	sign(byte[] toSign) Signs the provided bytes using the private key associated with the impersonated service account
ImpersonatedCredentials.Builder	toBuilder()
String	toString()

Methods inherited from class com.google.auth.oauth2.GoogleCredentials

create, createDelegated, createScoped, createScoped, createScopedRequired, fromStream, fromStream, getApplicationDefault, getApplicationDefault

Methods inherited from class com.google.auth.oauth2.OAuth2Credentials

addChangeListener, getAccessToken, getAuthenticationType, getFromServiceLoader, getRequestMetadata, getRequestMetadata, getRequestMetadataInternal, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener

Methods inherited from class com.google.auth.Credentials

blockingGetToCallback, getRequestMetadata

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Method Detail

create

public static ImpersonatedCredentials create(GoogleCredentials sourceCredentials,
                                             String targetPrincipal,
                                             List<String> delegates,
                                             List<String> scopes,
                                             int lifetime,
                                             HttpTransportFactory transportFactory)

Parameters:

sourceCredentials - The source credential used as to acquire the impersonated credentials

targetPrincipal - The service account to impersonate.

delegates - The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the preceding identity. For example, if set to [serviceAccountB, serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, sourceCredential must have that role on targetPrincipal.

scopes - Scopes to request during the authorization grant.

lifetime - Number of seconds the delegated credential should be valid for (up to 3600).

transportFactory - HTTP transport factory, creates the transport used to get access tokens.

Returns:

new credentials

create

public static ImpersonatedCredentials create(GoogleCredentials sourceCredentials,
                                             String targetPrincipal,
                                             List<String> delegates,
                                             List<String> scopes,
                                             int lifetime)

Parameters:

sourceCredentials - The source credential used as to acquire the impersonated credentials

targetPrincipal - The service account to impersonate.

delegates - The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the preceding identity. For example, if set to [serviceAccountB, serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, sourceCredential must have that role on targetPrincipal.

scopes - Scopes to request during the authorization grant.

lifetime - Number of seconds the delegated credential should be valid for (up to 3600).

Returns:

new credentials

getAccount

public String getAccount()

Returns the email field of the serviceAccount that is being impersonated.

Specified by:

getAccount in interface ServiceAccountSigner

Returns:

email address of the impersonated service account.

sign

public byte[] sign(byte[] toSign)

Signs the provided bytes using the private key associated with the impersonated service account

Specified by:

sign in interface ServiceAccountSigner

Parameters:

toSign - bytes to sign

Returns:

signed bytes

Throws:

SigningException - if the attempt to sign the provided bytes failed

See Also:

Blob Signing

refreshAccessToken

public AccessToken refreshAccessToken()
                               throws IOException

Description copied from class: OAuth2Credentials

Method to refresh the access token according to the specific type of credentials.

Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.

Overrides:

refreshAccessToken in class OAuth2Credentials

Returns:

Refreshed access token.

Throws:

IOException - from derived implementations

idTokenWithAudience

@Beta
public IdToken idTokenWithAudience(String targetAudience,
                                         List<IdTokenProvider.Option> options)
                                  throws IOException

Returns an IdToken for the current Credential.

Specified by:

idTokenWithAudience in interface IdTokenProvider

Parameters:

targetAudience - the audience field for the issued ID Token

options - List of Credential specific options for for the token. For example, an IDToken for a ImpersonatedCredentials can return the email address within the token claims if "ImpersonatedCredentials.INCLUDE_EMAIL" is provided as a list option.
Only one option value is supported: "ImpersonatedCredentials.INCLUDE_EMAIL" If no options are set, the default excludes the "includeEmail" attribute in the API request

Returns:

IdToken object which includes the raw id_token, expiration and audience.

Throws:

IOException - if the attempt to get an IdToken failed

hashCode

public int hashCode()

Overrides:

hashCode in class OAuth2Credentials

toString

public String toString()

Overrides:

toString in class OAuth2Credentials

equals

public boolean equals(Object obj)

Overrides:

equals in class OAuth2Credentials

toBuilder

public ImpersonatedCredentials.Builder toBuilder()

Overrides:

toBuilder in class GoogleCredentials

newBuilder

public static ImpersonatedCredentials.Builder newBuilder()