Package com.google.auth.oauth2

Class DownscopedCredentials

java.lang.Object
com.google.auth.Credentials
com.google.auth.oauth2.OAuth2Credentials
com.google.auth.oauth2.DownscopedCredentials
All Implemented Interfaces:
Serializable
public final class DownscopedCredentials extends OAuth2Credentials
DownscopedCredentials enables the ability to downscope, or restrict, the Identity and Access Management (IAM) permissions that a short-lived credential can use for Cloud Storage.

This class provides a server-side approach for generating downscoped tokens, suitable for situations where Credential Access Boundary rules change infrequently or a single downscoped credential is reused many times. For scenarios where rules change frequently, or you need to generate many unique downscoped tokens, the client-side approach using com.google.auth.credentialaccessboundary.ClientSideCredentialAccessBoundaryFactory is more efficient.

To downscope permissions you must define a CredentialAccessBoundary which specifies the upper bound of permissions that the credential can access. You must also provide a source credential which will be used to acquire the downscoped credential.

See for more information.

Usage: 


 GoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault()
    .createScoped("https://www.googleapis.com/auth/cloud-platform");

 CredentialAccessBoundary.AccessBoundaryRule rule =
     CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
         .setAvailableResource(
             "//storage.googleapis.com/projects/_/buckets/bucket")
         .addAvailablePermission("inRole:roles/storage.objectViewer")
         .build();

 DownscopedCredentials downscopedCredentials =
     DownscopedCredentials.newBuilder()
         .setSourceCredential(sourceCredentials)
         .setCredentialAccessBoundary(
             CredentialAccessBoundary.newBuilder().addRule(rule).build())
         .build();

 AccessToken accessToken = downscopedCredentials.refreshAccessToken();

 OAuth2Credentials credentials = OAuth2Credentials.create(accessToken);

 Storage storage =
 StorageOptions.newBuilder().setCredentials(credentials).build().getService();

 Blob blob = storage.get(BlobId.of("bucket", "object"));
 System.out.printf("Blob %s retrieved.", blob.getBlobId());
Note that OAuth2CredentialsWithRefresh can instead be used to consume the downscoped token, allowing for automatic token refreshes by providing a OAuth2CredentialsWithRefresh.OAuth2RefreshHandler.
See Also:

  • Method Details

    • refreshAccessToken

      public AccessToken refreshAccessToken() throws IOException
      Description copied from class: OAuth2Credentials
      Method to refresh the access token according to the specific type of credentials.

      Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.

      Overrides:
      refreshAccessToken in class OAuth2Credentials
      Returns:
      never
      Throws:
      IOException

    • getSourceCredentials

      public GoogleCredentials getSourceCredentials()

    • getCredentialAccessBoundary

      public CredentialAccessBoundary getCredentialAccessBoundary()

    • getUniverseDomain

      public String getUniverseDomain()
      Returns the universe domain for the credential.
      Overrides:
      getUniverseDomain in class Credentials
      Returns:
      An explicit universe domain if it was explicitly provided, otherwise the default Google universe will be returned.

    • newBuilder

      public static DownscopedCredentials.Builder newBuilder()