Package com.google.auth.credentialaccessboundary (1.32.0)

A factory for generating downscoped access tokens using a client-side approach.

Downscoped tokens enable the ability to downscope, or restrict, the Identity and Access Management (IAM) permissions that a short-lived credential can use for accessing Google Cloud Storage. This factory allows clients to efficiently generate multiple downscoped tokens locally, minimizing calls to the Security Token Service (STS). This client-side approach is particularly beneficial when Credential Access Boundary rules change frequently or when many unique downscoped tokens are required. For scenarios where rules change infrequently or a single downscoped credential is reused many times, the server-side approach using DownscopedCredentials is more appropriate.

To downscope permissions you must define a CredentialAccessBoundary which specifies the upper bound of permissions that the credential can access. You must also provide a source credential which will be used to acquire the downscoped credential.

The factory can be configured with options such as the refreshMargin and minimumTokenLifetime. The refreshMargin controls how far in advance of the underlying credentials' expiry a refresh is attempted. The minimumTokenLifetime ensures that generated tokens have a minimum usable lifespan. See the Builder class for more details on these options.

Usage:

 GoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault()
     .createScoped("https://www.googleapis.com/auth/cloud-platform");

 ClientSideCredentialAccessBoundaryFactory factory =
     ClientSideCredentialAccessBoundaryFactory.newBuilder()
         .setSourceCredential(sourceCredentials)
         .build();

 CredentialAccessBoundary.AccessBoundaryRule rule =
     CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
         .setAvailableResource(
             "//storage.googleapis.com/projects/_/buckets/bucket")
         .addAvailablePermission("inRole:roles/storage.objectViewer")
         .build();

 CredentialAccessBoundary credentialAccessBoundary =
     CredentialAccessBoundary.newBuilder().addRule(rule).build();

 AccessToken downscopedAccessToken = factory.generateToken(credentialAccessBoundary);

 OAuth2Credentials credentials = OAuth2Credentials.create(downscopedAccessToken);

 Storage storage = StorageOptions.newBuilder().setCredentials(credentials).build().getService();

 Blob blob = storage.get(BlobId.of("bucket", "object"));
 System.out.printf("Blob %s retrieved.", blob.getBlobId());
 

Note that OAuth2CredentialsWithRefresh can instead be used to consume the downscoped token, allowing for automatic token refreshes by providing a OAuth2CredentialsWithRefresh.OAuth2RefreshHandler.

Builder for ClientSideCredentialAccessBoundaryFactory.

Use this builder to create instances of ClientSideCredentialAccessBoundaryFactory with the desired configuration options.