com.google.cloud.iam.credentials.v1

Class IamCredentialsClient

java.lang.Object

com.google.cloud.iam.credentials.v1.IamCredentialsClient

All Implemented Interfaces:

com.google.api.gax.core.BackgroundResource, AutoCloseable

@Generated(value="by gapic-generator-java")
public class IamCredentialsClient
extends Object
implements com.google.api.gax.core.BackgroundResource

Service Description: A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.

Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.

This class provides the ability to make remote calls to the backing service through method calls that map to API methods. Sample code to get started:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   List<String> scope = new ArrayList<>();
   Duration lifetime = Duration.newBuilder().build();
   GenerateAccessTokenResponse response =
       iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
 }
 

Note: close() needs to be called on the IamCredentialsClient object to clean up resources such as threads. In the example above, try-with-resources is used, which automatically calls close().

Methods

Method	Description	Method Variants
GenerateAccessToken	Generates an OAuth 2.0 access token for a service account.	Request object method variants only take one parameter, a request object, which must be constructed before the call. generateAccessToken(GenerateAccessTokenRequest request) "Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method. generateAccessToken(ServiceAccountName name, List<String> delegates, List<String> scope, Duration lifetime) generateAccessToken(String name, List<String> delegates, List<String> scope, Duration lifetime) Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service. generateAccessTokenCallable()
GenerateIdToken	Generates an OpenID Connect ID token for a service account.	Request object method variants only take one parameter, a request object, which must be constructed before the call. generateIdToken(GenerateIdTokenRequest request) "Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method. generateIdToken(ServiceAccountName name, List<String> delegates, String audience, boolean includeEmail) generateIdToken(String name, List<String> delegates, String audience, boolean includeEmail) Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service. generateIdTokenCallable()
SignBlob	Signs a blob using a service account's system-managed private key.	Request object method variants only take one parameter, a request object, which must be constructed before the call. signBlob(SignBlobRequest request) "Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method. signBlob(ServiceAccountName name, List<String> delegates, ByteString payload) signBlob(String name, List<String> delegates, ByteString payload) Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service. signBlobCallable()
SignJwt	Signs a JWT using a service account's system-managed private key.	Request object method variants only take one parameter, a request object, which must be constructed before the call. signJwt(SignJwtRequest request) "Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method. signJwt(ServiceAccountName name, List<String> delegates, String payload) signJwt(String name, List<String> delegates, String payload) Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service. signJwtCallable()

See the individual methods for example code.

Many parameters require resource names to be formatted in a particular way. To assist with these names, this class includes a format method for each type of name, and additionally a parse method to extract the individual identifiers contained within names that are returned.

This class can be customized by passing in a custom instance of IamCredentialsSettings to create(). For example:

To customize credentials:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 IamCredentialsSettings iamCredentialsSettings =
     IamCredentialsSettings.newBuilder()
         .setCredentialsProvider(FixedCredentialsProvider.create(myCredentials))
         .build();
 IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create(iamCredentialsSettings);
 

To customize the endpoint:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 IamCredentialsSettings iamCredentialsSettings =
     IamCredentialsSettings.newBuilder().setEndpoint(myEndpoint).build();
 IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create(iamCredentialsSettings);
 

To use REST (HTTP1.1/JSON) transport (instead of gRPC) for sending and receiving requests over the wire:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 IamCredentialsSettings iamCredentialsSettings =
     IamCredentialsSettings.newHttpJsonBuilder().build();
 IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create(iamCredentialsSettings);
 

Please refer to the GitHub repository's samples for more quickstart code snippets.

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	IamCredentialsClient(IamCredentialsSettings settings) Constructs an instance of IamCredentialsClient, using the given settings.
protected	IamCredentialsClient(IamCredentialsStub stub)

Method Summary

Modifier and Type	Method and Description
boolean	awaitTermination(long duration, TimeUnit unit)
void	close()
static IamCredentialsClient	create() Constructs an instance of IamCredentialsClient with default settings.
static IamCredentialsClient	create(IamCredentialsSettings settings) Constructs an instance of IamCredentialsClient, using the given settings.
static IamCredentialsClient	create(IamCredentialsStub stub) Constructs an instance of IamCredentialsClient, using the given stub for making calls.
GenerateAccessTokenResponse	generateAccessToken(GenerateAccessTokenRequest request) Generates an OAuth 2.0 access token for a service account.
GenerateAccessTokenResponse	generateAccessToken(ServiceAccountName name, List<String> delegates, List<String> scope, com.google.protobuf.Duration lifetime) Generates an OAuth 2.0 access token for a service account.
GenerateAccessTokenResponse	generateAccessToken(String name, List<String> delegates, List<String> scope, com.google.protobuf.Duration lifetime) Generates an OAuth 2.0 access token for a service account.
com.google.api.gax.rpc.UnaryCallable<GenerateAccessTokenRequest,GenerateAccessTokenResponse>	generateAccessTokenCallable() Generates an OAuth 2.0 access token for a service account.
GenerateIdTokenResponse	generateIdToken(GenerateIdTokenRequest request) Generates an OpenID Connect ID token for a service account.
GenerateIdTokenResponse	generateIdToken(ServiceAccountName name, List<String> delegates, String audience, boolean includeEmail) Generates an OpenID Connect ID token for a service account.
GenerateIdTokenResponse	generateIdToken(String name, List<String> delegates, String audience, boolean includeEmail) Generates an OpenID Connect ID token for a service account.
com.google.api.gax.rpc.UnaryCallable<GenerateIdTokenRequest,GenerateIdTokenResponse>	generateIdTokenCallable() Generates an OpenID Connect ID token for a service account.
IamCredentialsSettings	getSettings()
IamCredentialsStub	getStub()
boolean	isShutdown()
boolean	isTerminated()
void	shutdown()
void	shutdownNow()
SignBlobResponse	signBlob(ServiceAccountName name, List<String> delegates, com.google.protobuf.ByteString payload) Signs a blob using a service account's system-managed private key.
SignBlobResponse	signBlob(SignBlobRequest request) Signs a blob using a service account's system-managed private key.
SignBlobResponse	signBlob(String name, List<String> delegates, com.google.protobuf.ByteString payload) Signs a blob using a service account's system-managed private key.
com.google.api.gax.rpc.UnaryCallable<SignBlobRequest,SignBlobResponse>	signBlobCallable() Signs a blob using a service account's system-managed private key.
SignJwtResponse	signJwt(ServiceAccountName name, List<String> delegates, String payload) Signs a JWT using a service account's system-managed private key.
SignJwtResponse	signJwt(SignJwtRequest request) Signs a JWT using a service account's system-managed private key.
SignJwtResponse	signJwt(String name, List<String> delegates, String payload) Signs a JWT using a service account's system-managed private key.
com.google.api.gax.rpc.UnaryCallable<SignJwtRequest,SignJwtResponse>	signJwtCallable() Signs a JWT using a service account's system-managed private key.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

IamCredentialsClient

protected IamCredentialsClient(IamCredentialsSettings settings)
                        throws IOException

Constructs an instance of IamCredentialsClient, using the given settings. This is protected so that it is easy to make a subclass, but otherwise, the static factory methods should be preferred.

Throws:

IOException

IamCredentialsClient

protected IamCredentialsClient(IamCredentialsStub stub)

Method Detail

create

public static final IamCredentialsClient create()
                                         throws IOException

Constructs an instance of IamCredentialsClient with default settings.

Throws:

IOException

create

public static final IamCredentialsClient create(IamCredentialsSettings settings)
                                         throws IOException

Constructs an instance of IamCredentialsClient, using the given settings. The channels are created based on the settings passed in, or defaults for any settings that are not set.

Throws:

IOException

create

public static final IamCredentialsClient create(IamCredentialsStub stub)

Constructs an instance of IamCredentialsClient, using the given stub for making calls. This is for advanced usage - prefer using create(IamCredentialsSettings).

getSettings

public final IamCredentialsSettings getSettings()

getStub

public IamCredentialsStub getStub()

generateAccessToken

public final GenerateAccessTokenResponse generateAccessToken(ServiceAccountName name,
                                                             List<String> delegates,
                                                             List<String> scope,
                                                             com.google.protobuf.Duration lifetime)

Generates an OAuth 2.0 access token for a service account.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   List<String> scope = new ArrayList<>();
   Duration lifetime = Duration.newBuilder().build();
   GenerateAccessTokenResponse response =
       iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
 }
 

Parameters:

name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

scope - Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.

lifetime - The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.

Throws:

com.google.api.gax.rpc.ApiException - if the remote call fails

generateAccessToken

public final GenerateAccessTokenResponse generateAccessToken(String name,
                                                             List<String> delegates,
                                                             List<String> scope,
                                                             com.google.protobuf.Duration lifetime)

Generates an OAuth 2.0 access token for a service account.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   List<String> delegates = new ArrayList<>();
   List<String> scope = new ArrayList<>();
   Duration lifetime = Duration.newBuilder().build();
   GenerateAccessTokenResponse response =
       iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
 }
 

Parameters:

name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

scope - Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.

lifetime - The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.

Throws:

com.google.api.gax.rpc.ApiException - if the remote call fails

generateAccessToken

public final GenerateAccessTokenResponse generateAccessToken(GenerateAccessTokenRequest request)

Generates an OAuth 2.0 access token for a service account.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   GenerateAccessTokenRequest request =
       GenerateAccessTokenRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .addAllScope(new ArrayList<String>())
           .setLifetime(Duration.newBuilder().build())
           .build();
   GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(request);
 }
 

Parameters:

request - The request object containing all of the parameters for the API call.

Throws:

com.google.api.gax.rpc.ApiException - if the remote call fails

generateAccessTokenCallable

public final com.google.api.gax.rpc.UnaryCallable<GenerateAccessTokenRequest,GenerateAccessTokenResponse> generateAccessTokenCallable()

Generates an OAuth 2.0 access token for a service account.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   GenerateAccessTokenRequest request =
       GenerateAccessTokenRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .addAllScope(new ArrayList<String>())
           .setLifetime(Duration.newBuilder().build())
           .build();
   ApiFuture<GenerateAccessTokenResponse> future =
       iamCredentialsClient.generateAccessTokenCallable().futureCall(request);
   // Do something.
   GenerateAccessTokenResponse response = future.get();
 }
 

generateIdToken

public final GenerateIdTokenResponse generateIdToken(ServiceAccountName name,
                                                     List<String> delegates,
                                                     String audience,
                                                     boolean includeEmail)

Generates an OpenID Connect ID token for a service account.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   String audience = "audience975628804";
   boolean includeEmail = true;
   GenerateIdTokenResponse response =
       iamCredentialsClient.generateIdToken(name, delegates, audience, includeEmail);
 }
 

Parameters:

name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

audience - Required. The audience for the token, such as the API or account that this token grants access to.

includeEmail - Include the service account email in the token. If set to `true`, the token will contain `email` and `email_verified` claims.

Throws:

com.google.api.gax.rpc.ApiException - if the remote call fails

generateIdToken

public final GenerateIdTokenResponse generateIdToken(String name,
                                                     List<String> delegates,
                                                     String audience,
                                                     boolean includeEmail)

Generates an OpenID Connect ID token for a service account.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   List<String> delegates = new ArrayList<>();
   String audience = "audience975628804";
   boolean includeEmail = true;
   GenerateIdTokenResponse response =
       iamCredentialsClient.generateIdToken(name, delegates, audience, includeEmail);
 }
 

Parameters:

name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

audience - Required. The audience for the token, such as the API or account that this token grants access to.

includeEmail - Include the service account email in the token. If set to `true`, the token will contain `email` and `email_verified` claims.

Throws:

com.google.api.gax.rpc.ApiException - if the remote call fails

generateIdToken

public final GenerateIdTokenResponse generateIdToken(GenerateIdTokenRequest request)

Generates an OpenID Connect ID token for a service account.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   GenerateIdTokenRequest request =
       GenerateIdTokenRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setAudience("audience975628804")
           .setIncludeEmail(true)
           .build();
   GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(request);
 }
 

Parameters:

request - The request object containing all of the parameters for the API call.

Throws:

com.google.api.gax.rpc.ApiException - if the remote call fails

generateIdTokenCallable

public final com.google.api.gax.rpc.UnaryCallable<GenerateIdTokenRequest,GenerateIdTokenResponse> generateIdTokenCallable()

Generates an OpenID Connect ID token for a service account.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   GenerateIdTokenRequest request =
       GenerateIdTokenRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setAudience("audience975628804")
           .setIncludeEmail(true)
           .build();
   ApiFuture<GenerateIdTokenResponse> future =
       iamCredentialsClient.generateIdTokenCallable().futureCall(request);
   // Do something.
   GenerateIdTokenResponse response = future.get();
 }
 

signBlob

public final SignBlobResponse signBlob(ServiceAccountName name,
                                       List<String> delegates,
                                       com.google.protobuf.ByteString payload)

Signs a blob using a service account's system-managed private key.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   ByteString payload = ByteString.EMPTY;
   SignBlobResponse response = iamCredentialsClient.signBlob(name, delegates, payload);
 }
 

Parameters:

name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

payload - Required. The bytes to sign.

Throws:

com.google.api.gax.rpc.ApiException - if the remote call fails

signBlob

public final SignBlobResponse signBlob(String name,
                                       List<String> delegates,
                                       com.google.protobuf.ByteString payload)

Signs a blob using a service account's system-managed private key.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   List<String> delegates = new ArrayList<>();
   ByteString payload = ByteString.EMPTY;
   SignBlobResponse response = iamCredentialsClient.signBlob(name, delegates, payload);
 }
 

Parameters:

name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

payload - Required. The bytes to sign.

Throws:

com.google.api.gax.rpc.ApiException - if the remote call fails

signBlob

public final SignBlobResponse signBlob(SignBlobRequest request)

Signs a blob using a service account's system-managed private key.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   SignBlobRequest request =
       SignBlobRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setPayload(ByteString.EMPTY)
           .build();
   SignBlobResponse response = iamCredentialsClient.signBlob(request);
 }
 

Parameters:

request - The request object containing all of the parameters for the API call.

Throws:

com.google.api.gax.rpc.ApiException - if the remote call fails

signBlobCallable

public final com.google.api.gax.rpc.UnaryCallable<SignBlobRequest,SignBlobResponse> signBlobCallable()

Signs a blob using a service account's system-managed private key.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   SignBlobRequest request =
       SignBlobRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setPayload(ByteString.EMPTY)
           .build();
   ApiFuture<SignBlobResponse> future =
       iamCredentialsClient.signBlobCallable().futureCall(request);
   // Do something.
   SignBlobResponse response = future.get();
 }
 

signJwt

public final SignJwtResponse signJwt(ServiceAccountName name,
                                     List<String> delegates,
                                     String payload)

Signs a JWT using a service account's system-managed private key.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   String payload = "payload-786701938";
   SignJwtResponse response = iamCredentialsClient.signJwt(name, delegates, payload);
 }
 

Parameters:

name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

payload - Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.

Throws:

com.google.api.gax.rpc.ApiException - if the remote call fails

signJwt

public final SignJwtResponse signJwt(String name,
                                     List<String> delegates,
                                     String payload)

Signs a JWT using a service account's system-managed private key.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   List<String> delegates = new ArrayList<>();
   String payload = "payload-786701938";
   SignJwtResponse response = iamCredentialsClient.signJwt(name, delegates, payload);
 }
 

Parameters:

name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

payload - Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.

Throws:

com.google.api.gax.rpc.ApiException - if the remote call fails

signJwt

public final SignJwtResponse signJwt(SignJwtRequest request)

Signs a JWT using a service account's system-managed private key.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   SignJwtRequest request =
       SignJwtRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setPayload("payload-786701938")
           .build();
   SignJwtResponse response = iamCredentialsClient.signJwt(request);
 }
 

Parameters:

request - The request object containing all of the parameters for the API call.

Throws:

com.google.api.gax.rpc.ApiException - if the remote call fails

signJwtCallable

public final com.google.api.gax.rpc.UnaryCallable<SignJwtRequest,SignJwtResponse> signJwtCallable()

Signs a JWT using a service account's system-managed private key.

Sample code:

 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   SignJwtRequest request =
       SignJwtRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setPayload("payload-786701938")
           .build();
   ApiFuture<SignJwtResponse> future =
       iamCredentialsClient.signJwtCallable().futureCall(request);
   // Do something.
   SignJwtResponse response = future.get();
 }
 

close

public final void close()

Specified by:

close in interface AutoCloseable

shutdown

public void shutdown()

Specified by:

shutdown in interface com.google.api.gax.core.BackgroundResource

isShutdown

public boolean isShutdown()

Specified by:

isShutdown in interface com.google.api.gax.core.BackgroundResource

isTerminated

public boolean isTerminated()

Specified by:

isTerminated in interface com.google.api.gax.core.BackgroundResource

shutdownNow

public void shutdownNow()

Specified by:

shutdownNow in interface com.google.api.gax.core.BackgroundResource

awaitTermination

public boolean awaitTermination(long duration,
                                TimeUnit unit)
                         throws InterruptedException

Specified by:

awaitTermination in interface com.google.api.gax.core.BackgroundResource

Throws:

InterruptedException