Class DownscopedCredentials (1.40.0)

public final class DownscopedCredentials extends OAuth2Credentials

DownscopedCredentials enables the ability to downscope, or restrict, the Identity and Access Management (IAM) permissions that a short-lived credential can use for Cloud Storage.

This class provides a server-side approach for generating downscoped tokens, suitable for situations where Credential Access Boundary rules change infrequently or a single downscoped credential is reused many times. For scenarios where rules change frequently, or you need to generate many unique downscoped tokens, the client-side approach using com.google.auth.credentialaccessboundary.ClientSideCredentialAccessBoundaryFactory is more efficient.

To downscope permissions you must define a CredentialAccessBoundary which specifies the upper bound of permissions that the credential can access. You must also provide a source credential which will be used to acquire the downscoped credential.

See for more information.

Usage:


 GoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault()
    .createScoped("https://www.googleapis.com/auth/cloud-platform");

 CredentialAccessBoundary.AccessBoundaryRule rule =
     CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
         .setAvailableResource(
             "//storage.googleapis.com/projects/_/buckets/bucket")
         .addAvailablePermission("inRole:roles/storage.objectViewer")
         .build();

 DownscopedCredentials downscopedCredentials =
     DownscopedCredentials.newBuilder()
         .setSourceCredential(sourceCredentials)
         .setCredentialAccessBoundary(
             CredentialAccessBoundary.newBuilder().addRule(rule).build())
         .build();

 AccessToken accessToken = downscopedCredentials.refreshAccessToken();

 OAuth2Credentials credentials = OAuth2Credentials.create(accessToken);

 Storage storage =
 StorageOptions.newBuilder().setCredentials(credentials).build().getService();

 Blob blob = storage.get(BlobId.of("bucket", "object"));
 System.out.printf("Blob %s retrieved.", blob.getBlobId());
 

Note that OAuth2CredentialsWithRefresh can instead be used to consume the downscoped token, allowing for automatic token refreshes by providing a OAuth2CredentialsWithRefresh.OAuth2RefreshHandler.

Inheritance

java.lang.Object > Credentials > OAuth2Credentials > DownscopedCredentials

Static Methods

newBuilder()

public static DownscopedCredentials.Builder newBuilder()
Returns
Type Description
DownscopedCredentials.Builder

Methods

getCredentialAccessBoundary()

public CredentialAccessBoundary getCredentialAccessBoundary()
Returns
Type Description
CredentialAccessBoundary

getSourceCredentials()

public GoogleCredentials getSourceCredentials()
Returns
Type Description
GoogleCredentials

getUniverseDomain()

public String getUniverseDomain()

Returns the universe domain for the credential.

Returns
Type Description
String

An explicit universe domain if it was explicitly provided, otherwise the default Google universe will be returned.

Overrides

refreshAccessToken()

public AccessToken refreshAccessToken()

Method to refresh the access token according to the specific type of credentials.

Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.

Returns
Type Description
AccessToken
Overrides
Exceptions
Type Description
IOException