public class ClientSideCredentialAccessBoundaryFactoryA factory for generating downscoped access tokens using a client-side approach.
Downscoped tokens enable the ability to downscope, or restrict, the Identity and Access Management (IAM) permissions that a short-lived credential can use for accessing Google Cloud Storage. This factory allows clients to efficiently generate multiple downscoped tokens locally, minimizing calls to the Security Token Service (STS). This client-side approach is particularly beneficial when Credential Access Boundary rules change frequently or when many unique downscoped tokens are required. For scenarios where rules change infrequently or a single downscoped credential is reused many times, the server-side approach using DownscopedCredentials is more appropriate.
To downscope permissions you must define a CredentialAccessBoundary which specifies the upper bound of permissions that the credential can access. You must also provide a source credential which will be used to acquire the downscoped credential.
The factory can be configured with options such as the refreshMargin and
minimumTokenLifetime. The refreshMargin controls how far in advance of the underlying
credentials' expiry a refresh is attempted. The minimumTokenLifetime ensures that
generated tokens have a minimum usable lifespan. See the Builder class for more details
on these options.
Usage:
GoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault()
.createScoped("https://www.googleapis.com/auth/cloud-platform");
ClientSideCredentialAccessBoundaryFactory factory =
ClientSideCredentialAccessBoundaryFactory.newBuilder()
.setSourceCredential(sourceCredentials)
.build();
CredentialAccessBoundary.AccessBoundaryRule rule =
CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
.setAvailableResource(
"//storage.googleapis.com/projects/_/buckets/bucket")
.addAvailablePermission("inRole:roles/storage.objectViewer")
.build();
CredentialAccessBoundary credentialAccessBoundary =
CredentialAccessBoundary.newBuilder().addRule(rule).build();
AccessToken downscopedAccessToken = factory.generateToken(credentialAccessBoundary);
OAuth2Credentials credentials = OAuth2Credentials.create(downscopedAccessToken);
Storage storage = StorageOptions.newBuilder().setCredentials(credentials).build().getService();
Blob blob = storage.get(BlobId.of("bucket", "object"));
System.out.printf("Blob %s retrieved.", blob.getBlobId());
Note that OAuth2CredentialsWithRefresh can instead be used to consume the downscoped token, allowing for automatic token refreshes by providing a OAuth2CredentialsWithRefresh.OAuth2RefreshHandler.
Static Methods
newBuilder()
public static ClientSideCredentialAccessBoundaryFactory.Builder newBuilder()| Returns | |
|---|---|
| Type | Description |
ClientSideCredentialAccessBoundaryFactory.Builder |
|
Methods
generateToken(CredentialAccessBoundary accessBoundary)
public AccessToken generateToken(CredentialAccessBoundary accessBoundary)Generates a downscoped access token given the CredentialAccessBoundary.
| Parameter | |
|---|---|
| Name | Description |
accessBoundary |
CredentialAccessBoundaryThe credential access boundary that defines the restrictions for the generated CAB token. |
| Returns | |
|---|---|
| Type | Description |
AccessToken |
The downscoped access token in an AccessToken object |
| Exceptions | |
|---|---|
| Type | Description |
IOException |
If an I/O error occurs while refreshing the source credentials |
dev.cel.common.CelValidationException |
If an I/O error occurs while refreshing the source credentials |
GeneralSecurityException |
If an I/O error occurs while refreshing the source credentials |