com.google.auth.oauth2

Class ImpersonatedCredentials

java.lang.Object

com.google.auth.Credentials

com.google.auth.oauth2.OAuth2Credentials

com.google.auth.oauth2.GoogleCredentials

com.google.auth.oauth2.ImpersonatedCredentials

All Implemented Interfaces:

Serializable

public class ImpersonatedCredentials
extends GoogleCredentials

ImpersonatedCredentials allowing credentials issued to a user or service account to impersonate another.
The source project using ImpersonatedCredentials must enable the "IAMCredentials" API.
Also, the target service account must grant the orginating principal the "Service Account Token Creator" IAM role.
Usage:

 String credPath = "/path/to/svc_account.json";
 ServiceAccountCredentials sourceCredentials = ServiceAccountCredentials
     .fromStream(new FileInputStream(credPath));
 sourceCredentials = (ServiceAccountCredentials) sourceCredentials
     .createScoped(Arrays.asList("https://www.googleapis.com/auth/iam"));

 ImpersonatedCredentials targetCredentials = ImpersonatedCredentials.create(sourceCredentials,
     "impersonated-account@project.iam.gserviceaccount.com", null,
     Arrays.asList("https://www.googleapis.com/auth/devstorage.read_only"), 300);

 Storage storage_service = StorageOptions.newBuilder().setProjectId("project-id")
    .setCredentials(targetCredentials).build().getService();

 for (Bucket b : storage_service.list().iterateAll())
     System.out.println(b);
 

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	ImpersonatedCredentials.Builder

Nested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials

OAuth2Credentials.CredentialsChangedListener

Method Summary

Modifier and Type	Method and Description
static ImpersonatedCredentials	create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime)
static ImpersonatedCredentials	create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime, HttpTransportFactory transportFactory)
boolean	equals(Object obj)
int	hashCode()
static ImpersonatedCredentials.Builder	newBuilder()
AccessToken	refreshAccessToken() Method to refresh the access token according to the specific type of credentials.
ImpersonatedCredentials.Builder	toBuilder()
String	toString()

Methods inherited from class com.google.auth.oauth2.GoogleCredentials

create, createDelegated, createScoped, createScoped, createScopedRequired, fromStream, fromStream, getApplicationDefault, getApplicationDefault

Methods inherited from class com.google.auth.oauth2.OAuth2Credentials

addChangeListener, getAccessToken, getAuthenticationType, getFromServiceLoader, getRequestMetadata, getRequestMetadata, getRequestMetadataInternal, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener

Methods inherited from class com.google.auth.Credentials

blockingGetToCallback, getRequestMetadata

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Method Detail

create

public static ImpersonatedCredentials create(GoogleCredentials sourceCredentials,
                                             String targetPrincipal,
                                             List<String> delegates,
                                             List<String> scopes,
                                             int lifetime,
                                             HttpTransportFactory transportFactory)

Parameters:

sourceCredentials - The source credential used as to acquire the impersonated credentials

targetPrincipal - The service account to impersonate.

delegates - The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the preceding identity. For example, if set to [serviceAccountB, serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, sourceCredential must have that role on targetPrincipal.

scopes - Scopes to request during the authorization grant.

lifetime - Number of seconds the delegated credential should be valid for (up to 3600).

transportFactory - HTTP transport factory, creates the transport used to get access tokens.

create

public static ImpersonatedCredentials create(GoogleCredentials sourceCredentials,
                                             String targetPrincipal,
                                             List<String> delegates,
                                             List<String> scopes,
                                             int lifetime)

Parameters:

sourceCredentials - The source credential used as to acquire the impersonated credentials

targetPrincipal - The service account to impersonate.

delegates - The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the preceding identity. For example, if set to [serviceAccountB, serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, sourceCredential must have that role on targetPrincipal.

scopes - Scopes to request during the authorization grant.

lifetime - Number of seconds the delegated credential should be valid for (up to 3600).

refreshAccessToken

public AccessToken refreshAccessToken()
                               throws IOException

Description copied from class: OAuth2Credentials

Method to refresh the access token according to the specific type of credentials. Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.

Overrides:

refreshAccessToken in class OAuth2Credentials

Returns:

Refreshed access token.

Throws:

IOException - from derived implementations

hashCode

public int hashCode()

Overrides:

hashCode in class OAuth2Credentials

toString

public String toString()

Overrides:

toString in class OAuth2Credentials

equals

public boolean equals(Object obj)

Overrides:

equals in class OAuth2Credentials

toBuilder

public ImpersonatedCredentials.Builder toBuilder()

Overrides:

toBuilder in class GoogleCredentials

newBuilder

public static ImpersonatedCredentials.Builder newBuilder()