Package com.google.auth.oauth2

Class ServiceAccountCredentials

java.lang.Object
com.google.auth.Credentials
com.google.auth.oauth2.OAuth2Credentials
com.google.auth.oauth2.GoogleCredentials
com.google.auth.oauth2.ServiceAccountCredentials
All Implemented Interfaces:
IdTokenProvider, JwtProvider, QuotaProjectIdProvider, ServiceAccountSigner, Serializable
public class ServiceAccountCredentials extends GoogleCredentials implements ServiceAccountSigner, IdTokenProvider, JwtProvider
OAuth2 credentials representing a Service Account for calling Google APIs.

By default uses a JSON Web Token (JWT) to fetch access tokens.

See Also:

  • Method Details

    • fromPkcs8

      public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes) throws IOException
      Factory with minimum identifying information using PKCS#8 for the private key.
      Parameters:
      clientId - Client ID of the service account from the console. May be null.
      clientEmail - Client email address of the service account from the console.
      privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.
      privateKeyId - Private key identifier for the service account. May be null.
      scopes - Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.
      Returns:
      New ServiceAccountCredentials created from a private key.
      Throws:
      IOException - if the credential cannot be created from the private key.

    • fromPkcs8

      public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes) throws IOException
      Factory with minimum identifying information using PKCS#8 for the private key.
      Parameters:
      clientId - client ID of the service account from the console. May be null.
      clientEmail - client email address of the service account from the console
      privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.
      privateKeyId - private key identifier for the service account. May be null.
      scopes - scope strings for the APIs to be called. May be null or an empty collection.
      defaultScopes - default scope strings for the APIs to be called. May be null or an empty.
      Returns:
      new ServiceAccountCredentials created from a private key
      Throws:
      IOException - if the credential cannot be created from the private key

    • fromPkcs8

      public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri) throws IOException
      Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
      Parameters:
      clientId - Client ID of the service account from the console. May be null.
      clientEmail - Client email address of the service account from the console.
      privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.
      privateKeyId - Private key identifier for the service account. May be null.
      scopes - Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.
      transportFactory - HTTP transport factory, creates the transport used to get access tokens.
      tokenServerUri - URI of the end point that provides tokens.
      Returns:
      New ServiceAccountCredentials created from a private key.
      Throws:
      IOException - if the credential cannot be created from the private key.

    • fromPkcs8

      public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes, HttpTransportFactory transportFactory, URI tokenServerUri) throws IOException
      Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
      Parameters:
      clientId - client ID of the service account from the console. May be null.
      clientEmail - client email address of the service account from the console
      privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.
      privateKeyId - private key identifier for the service account. May be null.
      scopes - scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.
      defaultScopes - default scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.
      transportFactory - HTTP transport factory, creates the transport used to get access tokens.
      tokenServerUri - URI of the end point that provides tokens
      Returns:
      new ServiceAccountCredentials created from a private key
      Throws:
      IOException - if the credential cannot be created from the private key

    • fromPkcs8

      public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri, String serviceAccountUser) throws IOException
      Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
      Parameters:
      clientId - Client ID of the service account from the console. May be null.
      clientEmail - Client email address of the service account from the console.
      privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.
      privateKeyId - Private key identifier for the service account. May be null.
      scopes - Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.
      transportFactory - HTTP transport factory, creates the transport used to get access tokens.
      tokenServerUri - URI of the end point that provides tokens.
      serviceAccountUser - The email of the user account to impersonate, if delegating domain-wide authority to the service account.
      Returns:
      New ServiceAccountCredentials created from a private key.
      Throws:
      IOException - if the credential cannot be created from the private key.

    • fromPkcs8

      public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes, HttpTransportFactory transportFactory, URI tokenServerUri, String serviceAccountUser) throws IOException
      Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
      Parameters:
      clientId - client ID of the service account from the console. May be null.
      clientEmail - client email address of the service account from the console
      privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.
      privateKeyId - private key identifier for the service account. May be null.
      scopes - scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.
      defaultScopes - default scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.
      transportFactory - HTTP transport factory, creates the transport used to get access tokens.
      tokenServerUri - URI of the end point that provides tokens
      serviceAccountUser - the email of the user account to impersonate, if delegating domain-wide authority to the service account.
      Returns:
      new ServiceAccountCredentials created from a private key
      Throws:
      IOException - if the credential cannot be created from the private key

    • fromStream

      public static ServiceAccountCredentials fromStream(InputStream credentialsStream) throws IOException
      Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.

      Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to .

      Parameters:
      credentialsStream - the stream with the credential definition.
      Returns:
      the credential defined by the credentialsStream.
      Throws:
      IOException - if the credential cannot be created from the stream.

    • fromStream

      public static ServiceAccountCredentials fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory) throws IOException
      Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.

      Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to .

      Parameters:
      credentialsStream - the stream with the credential definition.
      transportFactory - HTTP transport factory, creates the transport used to get access tokens.
      Returns:
      the credential defined by the credentialsStream.
      Throws:
      IOException - if the credential cannot be created from the stream.

    • createScopedRequired

      public boolean createScopedRequired()
      Returns whether the scopes are empty, meaning createScoped must be called before use.
      Overrides:
      createScopedRequired in class GoogleCredentials
      Returns:
      Whether the credentials require scopes to be specified.

    • refreshAccessToken

      public AccessToken refreshAccessToken() throws IOException
      Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).
      Overrides:
      refreshAccessToken in class OAuth2Credentials
      Returns:
      never
      Throws:
      IOException

    • idTokenWithAudience

      public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options) throws IOException
      Returns a Google ID Token from either the OAuth or IAM Endpoint. For Credentials that are in the Google Default Universe (googleapis.com), the ID Token will be retrieved from the Oauth Endpoint. Otherwise, it will be retrieved from the IAM Endpoint.
      Specified by:
      idTokenWithAudience in interface IdTokenProvider
      Parameters:
      targetAudience - the aud: field the IdToken should include.
      options - list of Credential specific options for the token. Currently, unused for ServiceAccountCredentials.
      Returns:
      IdToken object which includes the raw id_token, expiration and audience
      Throws:
      IOException - if the attempt to get an IdToken failed

    • createWithCustomRetryStrategy

      public ServiceAccountCredentials createWithCustomRetryStrategy(boolean defaultRetriesEnabled)
      Clones the service account with the specified default retries.
      Overrides:
      createWithCustomRetryStrategy in class GoogleCredentials
      Parameters:
      defaultRetriesEnabled - a flag enabling or disabling default retries
      Returns:
      GoogleCredentials with the specified retry configuration.

    • createScoped

      public GoogleCredentials createScoped(Collection<String> newScopes)
      Clones the service account with the specified scopes.

      Should be called before use for instances with empty scopes.

      Overrides:
      createScoped in class GoogleCredentials
      Parameters:
      newScopes - Collection of scopes to request.
      Returns:
      GoogleCredentials with requested scopes.

    • createScoped

      public GoogleCredentials createScoped(Collection<String> newScopes, Collection<String> newDefaultScopes)
      Clones the service account with the specified scopes. The Access Token is invalidated even if the same scopes are provided. Access Tokens contain information of the internal values (i.e. scope). If an internal value (scope) is modified, then the existing Access Token is no longer valid and should not be re-used.

      Should be called before use for instances with empty scopes.

      Overrides:
      createScoped in class GoogleCredentials
      Parameters:
      newScopes - Collection of scopes to request.
      newDefaultScopes - Collection of default scopes to request.
      Returns:
      GoogleCredentials with requested scopes.

    • createWithCustomLifetime

      public ServiceAccountCredentials createWithCustomLifetime(int lifetime)
      Clones the service account with a new lifetime value.
      Parameters:
      lifetime - life time value in seconds. The value should be at most 43200 (12 hours). If the token is used for calling a Google API, then the value should be at most 3600 (1 hour). If the given value is 0, then the default value 3600 will be used when creating the credentials.
      Returns:
      the cloned service account credentials with the given custom life time

    • createWithUseJwtAccessWithScope

      public ServiceAccountCredentials createWithUseJwtAccessWithScope(boolean useJwtAccessWithScope)
      Clones the service account with a new useJwtAccessWithScope value. This flag will be ignored if universeDomain field is different from Credentials.GOOGLE_DEFAULT_UNIVERSE.
      Parameters:
      useJwtAccessWithScope - whether self-signed JWT with scopes should be used
      Returns:
      the cloned service account credentials with the given useJwtAccessWithScope

    • createDelegated

      public GoogleCredentials createDelegated(String user)
      Description copied from class: GoogleCredentials
      If the credentials support domain-wide delegation, creates a copy of the identity so that it impersonates the specified user; otherwise, returns the same instance.
      Overrides:
      createDelegated in class GoogleCredentials
      Parameters:
      user - User to impersonate.
      Returns:
      GoogleCredentials with a delegated user.

    • getClientId

      public final String getClientId()

    • getClientEmail

      public final String getClientEmail()

    • getPrivateKey

      public final PrivateKey getPrivateKey()

    • getPrivateKeyId

      public final String getPrivateKeyId()

    • getScopes

      public final Collection<String> getScopes()

    • getDefaultScopes

      public final Collection<String> getDefaultScopes()

    • getServiceAccountUser

      public final String getServiceAccountUser()

    • getProjectId

      public final String getProjectId()
      Description copied from class: GoogleCredentials
      The projectId value for a Credential type. Since not all GoogleCredentials subclass have a projectId associated, the projectId may be null. A subset of GoogleCredentials subclasses will override to return their projectId.
      Overrides:
      getProjectId in class GoogleCredentials
      Returns:
      the projectId set in the SA Key file or the user set projectId

    • getTokenServerUri

      public final URI getTokenServerUri()

    • getUseJwtAccessWithScope

      public boolean getUseJwtAccessWithScope()

    • getAccount

      public String getAccount()
      Specified by:
      getAccount in interface ServiceAccountSigner

    • sign

      public byte[] sign(byte[] toSign)
      Specified by:
      sign in interface ServiceAccountSigner

    • jwtWithClaims

      public JwtCredentials jwtWithClaims(JwtClaims newClaims)
      Returns a new JwtCredentials instance with modified claims.
      Specified by:
      jwtWithClaims in interface JwtProvider
      Parameters:
      newClaims - new claims. Any unspecified claim fields will default to the current values.
      Returns:
      new credentials

    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class GoogleCredentials

    • toStringHelper

      protected com.google.common.base.MoreObjects.ToStringHelper toStringHelper()
      Description copied from class: GoogleCredentials
      A helper for overriding the toString() method. This allows inheritance of super class fields. Extending classes can override this implementation and call super implementation and add more fields. Same cannot be done with overriding the toString() directly.
      Overrides:
      toStringHelper in class GoogleCredentials
      Returns:
      an instance of the ToStringHelper that has public fields added

    • equals

      public boolean equals(Object obj)
      Overrides:
      equals in class GoogleCredentials

    • getRequestMetadata

      public void getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)
      Overrides:
      getRequestMetadata in class OAuth2Credentials

    • getRequestMetadata

      public Map<String,List<String>> getRequestMetadata(URI uri) throws IOException
      Provide the request metadata by putting an access JWT directly in the metadata.
      Overrides:
      getRequestMetadata in class OAuth2Credentials
      Throws:
      IOException

    • getMetricsCredentialType

      public CredentialTypeForMetrics getMetricsCredentialType()
      Overrides:
      getMetricsCredentialType in class Credentials

    • newBuilder

      public static ServiceAccountCredentials.Builder newBuilder()

    • toBuilder

      public ServiceAccountCredentials.Builder toBuilder()
      Overrides:
      toBuilder in class GoogleCredentials