Classes
ClientSideCredentialAccessBoundaryFactory
A factory for generating downscoped access tokens using a client-side approach.
Downscoped tokens enable the ability to downscope, or restrict, the Identity and Access Management (IAM) permissions that a short-lived credential can use for accessing Google Cloud Storage. This factory allows clients to efficiently generate multiple downscoped tokens locally, minimizing calls to the Security Token Service (STS). This client-side approach is particularly beneficial when Credential Access Boundary rules change frequently or when many unique downscoped tokens are required. For scenarios where rules change infrequently or a single downscoped credential is reused many times, the server-side approach using DownscopedCredentials is more appropriate.
To downscope permissions you must define a CredentialAccessBoundary which specifies the upper bound of permissions that the credential can access. You must also provide a source credential which will be used to acquire the downscoped credential.
The factory can be configured with options such as the refreshMargin
and
minimumTokenLifetime
. The refreshMargin
controls how far in advance of the underlying
credentials' expiry a refresh is attempted. The minimumTokenLifetime
ensures that
generated tokens have a minimum usable lifespan. See the Builder class for more details
on these options.
Usage:
GoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault()
.createScoped("https://www.googleapis.com/auth/cloud-platform");
ClientSideCredentialAccessBoundaryFactory factory =
ClientSideCredentialAccessBoundaryFactory.newBuilder()
.setSourceCredential(sourceCredentials)
.build();
CredentialAccessBoundary.AccessBoundaryRule rule =
CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
.setAvailableResource(
"//storage.googleapis.com/projects/_/buckets/bucket")
.addAvailablePermission("inRole:roles/storage.objectViewer")
.build();
CredentialAccessBoundary credentialAccessBoundary =
CredentialAccessBoundary.newBuilder().addRule(rule).build();
AccessToken downscopedAccessToken = factory.generateToken(credentialAccessBoundary);
OAuth2Credentials credentials = OAuth2Credentials.create(downscopedAccessToken);
Storage storage = StorageOptions.newBuilder().setCredentials(credentials).build().getService();
Blob blob = storage.get(BlobId.of("bucket", "object"));
System.out.printf("Blob %s retrieved.", blob.getBlobId());
Note that OAuth2CredentialsWithRefresh can instead be used to consume the downscoped token, allowing for automatic token refreshes by providing a OAuth2CredentialsWithRefresh.OAuth2RefreshHandler.
ClientSideCredentialAccessBoundaryFactory.Builder
Builder for ClientSideCredentialAccessBoundaryFactory.
Use this builder to create instances of ClientSideCredentialAccessBoundaryFactory
with the desired configuration options.