Package com.google.auth.oauth2

Class ComputeEngineCredentials

java.lang.Object
com.google.auth.Credentials
com.google.auth.oauth2.OAuth2Credentials
com.google.auth.oauth2.GoogleCredentials
com.google.auth.oauth2.ComputeEngineCredentials
All Implemented Interfaces:
IdTokenProvider, QuotaProjectIdProvider, ServiceAccountSigner, Serializable
public class ComputeEngineCredentials extends GoogleCredentials implements ServiceAccountSigner, IdTokenProvider
OAuth2 credentials representing the built-in service account for a Google Compute Engine VM.

Fetches access tokens from the Google Compute Engine metadata server.

These credentials use the IAM API to sign data. See sign(byte[]) for more details.

See Also:

  • Method Details

    • getMetricsCredentialType

      public CredentialTypeForMetrics getMetricsCredentialType()
      Overrides:
      getMetricsCredentialType in class Credentials

    • createScoped

      public GoogleCredentials createScoped(Collection<String> newScopes)
      Clones the compute engine account with the specified scopes.
      Overrides:
      createScoped in class GoogleCredentials
      Parameters:
      newScopes - Collection of scopes to request.
      Returns:
      GoogleCredentials with requested scopes.

    • createScoped

      public GoogleCredentials createScoped(Collection<String> newScopes, Collection<String> newDefaultScopes)
      Clones the compute engine account with the specified scopes and default scopes.
      Overrides:
      createScoped in class GoogleCredentials
      Parameters:
      newScopes - Collection of scopes to request.
      newDefaultScopes - Collection of default scopes to request.
      Returns:
      GoogleCredentials with requested scopes.

    • create

      public static ComputeEngineCredentials create()
      Create a new ComputeEngineCredentials instance with default behavior.
      Returns:
      new ComputeEngineCredentials

    • getScopes

      public final Collection<String> getScopes()

    • getUniverseDomain

      public String getUniverseDomain() throws IOException
      Gets the universe domain from the GCE metadata server.

      Returns an explicit universe domain if it was provided during credential initialization.

      Returns the Credentials.GOOGLE_DEFAULT_UNIVERSE if universe domain endpoint is not found (404) or returns an empty string.

      Otherwise, returns universe domain from GCE metadata service.

      Any above value is cached for the credential lifetime.

      Overrides:
      getUniverseDomain in class GoogleCredentials
      Returns:
      string representing a universe domain in the format some-domain.xyz
      Throws:
      IOException - if a call to GCE metadata service was unsuccessful. Check if exception implements the Retryable and isRetryable() will return true if the operation may be retried.

    • getProjectId

      public String getProjectId()
      Retrieves the Google Cloud project ID from the Compute Engine (GCE) metadata server.

      On its first successful execution, it fetches the project ID and caches it for the lifetime of the object. Subsequent calls will return the cached value without making additional network requests.

      If the request to the metadata server fails (e.g., due to network issues, or if the VM lacks the required service account permissions), the method will attempt to fall back to a default project ID provider which could be null.

      Overrides:
      getProjectId in class GoogleCredentials
      Returns:
      the GCP project ID string, or null if the metadata server is inaccessible and no fallback project ID can be determined.

    • refreshAccessToken

      public AccessToken refreshAccessToken() throws IOException
      Refresh the access token by getting it from the GCE metadata server
      Overrides:
      refreshAccessToken in class OAuth2Credentials
      Returns:
      never
      Throws:
      IOException

    • idTokenWithAudience

      public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options) throws IOException
      Returns a Google ID Token from the metadata server on ComputeEngine
      Specified by:
      idTokenWithAudience in interface IdTokenProvider
      Parameters:
      targetAudience - the aud: field the IdToken should include
      options - list of Credential specific options for the token. For example, an IDToken for a ComputeEngineCredential could have the full formatted claims returned if IdTokenProvider.Option.FORMAT_FULL) is provided as a list option. Valid option values are:
      IdTokenProvider.Option.FORMAT_FULL
      IdTokenProvider.Option.LICENSES_TRUE
      If no options are set, the defaults are "&format=standard&licenses=false"
      Returns:
      IdToken object which includes the raw id_token, JsonWebSignature
      Throws:
      IOException - if the attempt to get an IdToken failed

    • getMetadataServerUrl

      public static String getMetadataServerUrl(com.google.auth.oauth2.DefaultCredentialsProvider provider)

    • getMetadataServerUrl

      public static String getMetadataServerUrl()

    • getTokenServerEncodedUrl

      public static String getTokenServerEncodedUrl(com.google.auth.oauth2.DefaultCredentialsProvider provider)

    • getTokenServerEncodedUrl

      public static String getTokenServerEncodedUrl()

    • getUniverseDomainUrl

      public static String getUniverseDomainUrl()

    • getServiceAccountsUrl

      public static String getServiceAccountsUrl()

    • getIdentityDocumentUrl

      public static String getIdentityDocumentUrl()

    • getProjectIdUrl

      public static String getProjectIdUrl()

    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class GoogleCredentials

    • toStringHelper

      protected com.google.common.base.MoreObjects.ToStringHelper toStringHelper()
      Description copied from class: GoogleCredentials
      A helper for overriding the toString() method. This allows inheritance of super class fields. Extending classes can override this implementation and call super implementation and add more fields. Same cannot be done with overriding the toString() directly.
      Overrides:
      toStringHelper in class GoogleCredentials
      Returns:
      an instance of the ToStringHelper that has public fields added

    • equals

      public boolean equals(Object obj)
      Overrides:
      equals in class GoogleCredentials

    • toBuilder

      public ComputeEngineCredentials.Builder toBuilder()
      Overrides:
      toBuilder in class GoogleCredentials

    • newBuilder

      public static ComputeEngineCredentials.Builder newBuilder()

    • getAccount

      public String getAccount()
      Returns the email address associated with the GCE default service account.
      Specified by:
      getAccount in interface ServiceAccountSigner
      Throws:
      RuntimeException - if the default service account cannot be read

    • sign

      public byte[] sign(byte[] toSign)
      Signs the provided bytes using the private key associated with the service account.

      The Compute Engine's project must enable the Identity and Access Management (IAM) API and the instance's service account must have the iam.serviceAccounts.signBlob permission.

      Specified by:
      sign in interface ServiceAccountSigner
      Parameters:
      toSign - bytes to sign
      Returns:
      signed bytes
      Throws:
      ServiceAccountSigner.SigningException - if the attempt to sign the provided bytes failed
      See Also: