Class ComputeEngineCredentials (1.4.0)

public class ComputeEngineCredentials extends GoogleCredentials implements ServiceAccountSigner, IdTokenProvider

OAuth2 credentials representing the built-in service account for a Google Compute Engine VM.

Fetches access tokens from the Google Compute Engine metadata server.

These credentials use the IAM API to sign data. See #sign(byte[]) for more details.

Inheritance

Object > Credentials > OAuth2Credentials > GoogleCredentials > ComputeEngineCredentials

Static Methods

create()

public static ComputeEngineCredentials create()

Create a new ComputeEngineCredentials instance with default behavior.

Returns
TypeDescription
ComputeEngineCredentials

new ComputeEngineCredentials

getIdentityDocumentUrl()

public static String getIdentityDocumentUrl()
Returns
TypeDescription
String

getMetadataServerUrl()

public static String getMetadataServerUrl()
Returns
TypeDescription
String

getMetadataServerUrl(DefaultCredentialsProvider provider)

public static String getMetadataServerUrl(DefaultCredentialsProvider provider)
Parameter
NameDescription
providercom.google.auth.oauth2.DefaultCredentialsProvider
Returns
TypeDescription
String

getServiceAccountsUrl()

public static String getServiceAccountsUrl()
Returns
TypeDescription
String

getTokenServerEncodedUrl()

public static String getTokenServerEncodedUrl()
Returns
TypeDescription
String

getTokenServerEncodedUrl(DefaultCredentialsProvider provider)

public static String getTokenServerEncodedUrl(DefaultCredentialsProvider provider)
Parameter
NameDescription
providercom.google.auth.oauth2.DefaultCredentialsProvider
Returns
TypeDescription
String

newBuilder()

public static ComputeEngineCredentials.Builder newBuilder()
Returns
TypeDescription
ComputeEngineCredentials.Builder

Methods

createScoped(Collection<String> newScopes)

public GoogleCredentials createScoped(Collection<String> newScopes)

Clones the compute engine account with the specified scopes.

Parameter
NameDescription
newScopesCollection<String>
Returns
TypeDescription
GoogleCredentials
Overrides

createScoped(Collection<String> newScopes, Collection<String> newDefaultScopes)

public GoogleCredentials createScoped(Collection<String> newScopes, Collection<String> newDefaultScopes)

Clones the compute engine account with the specified scopes.

Parameters
NameDescription
newScopesCollection<String>
newDefaultScopesCollection<String>
Returns
TypeDescription
GoogleCredentials
Overrides

equals(Object obj)

public boolean equals(Object obj)
Parameter
NameDescription
objObject
Returns
TypeDescription
boolean
Overrides

getAccount()

public String getAccount()

Returns the email address associated with the GCE default service account.

Returns
TypeDescription
String

getScopes()

public final Collection<String> getScopes()
Returns
TypeDescription
Collection<String>

hashCode()

public int hashCode()
Returns
TypeDescription
int
Overrides

idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options)

public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options)

Returns a Google ID Token from the metadata server on ComputeEngine

Parameters
NameDescription
targetAudienceString

the aud: field the IdToken should include

optionsList<Option>

list of Credential specific options for the token. For example, an IDToken for a ComputeEngineCredential could have the full formatted claims returned if IdTokenProvider.Option.FORMAT_FULL) is provided as a list option. Valid option values are:
IdTokenProvider.Option.FORMAT_FULL
IdTokenProvider.Option.LICENSES_TRUE
If no options are set, the defaults are "&format=standard&licenses=false"

Returns
TypeDescription
IdToken

IdToken object which includes the raw id_token, JsonWebSignature

Exceptions
TypeDescription
IOException

if the attempt to get an IdToken failed

refreshAccessToken()

public AccessToken refreshAccessToken()

Refresh the access token by getting it from the GCE metadata server

Returns
TypeDescription
AccessToken
Overrides Exceptions
TypeDescription
IOException

sign(byte[] toSign)

public byte[] sign(byte[] toSign)

Signs the provided bytes using the private key associated with the service account.

The Compute Engine's project must enable the Identity and Access Management (IAM) API and the instance's service account must have the iam.serviceAccounts.signBlob permission. See Also: <xref uid="Blob Signing" data-throw-if-not-resolved="false">Blob Signing

Parameter
NameDescription
toSignbyte[]

bytes to sign

Returns
TypeDescription
byte[]

signed bytes

toBuilder()

public ComputeEngineCredentials.Builder toBuilder()
Returns
TypeDescription
ComputeEngineCredentials.Builder
Overrides

toString()

public String toString()
Returns
TypeDescription
String
Overrides