Class ExternalAccountCredentials (1.20.0)

public abstract class ExternalAccountCredentials extends GoogleCredentials

Base external account credentials class.

Handles initializing external credentials, calls to the Security Token Service, and service account impersonation.

Inheritance

java.lang.Object > Credentials > OAuth2Credentials > GoogleCredentials > ExternalAccountCredentials

Inherited Members

Credentials.blockingGetToCallback(URI,RequestMetadataCallback)

Credentials.getRequestMetadata()

GoogleCredentials.create(AccessToken)

GoogleCredentials.createDelegated(String)

GoogleCredentials.createScoped(String)

GoogleCredentials.createScoped(Collection<String>)

GoogleCredentials.createScoped(Collection<String>,Collection<String>)

GoogleCredentials.createScopedRequired()

GoogleCredentials.createWithCustomRetryStrategy(boolean)

GoogleCredentials.createWithQuotaProject(String)

GoogleCredentials.fromStream(InputStream)

GoogleCredentials.fromStream(InputStream,HttpTransportFactory)

GoogleCredentials.getAdditionalHeaders()

GoogleCredentials.getApplicationDefault()

GoogleCredentials.getApplicationDefault(HttpTransportFactory)

GoogleCredentials.getQuotaProjectId()

GoogleCredentials.newBuilder()

GoogleCredentials.toBuilder()

OAuth2Credentials.<T>getFromServiceLoader(Class<? extends T>,T)

OAuth2Credentials.<T>newInstance(String)

OAuth2Credentials.addChangeListener(OAuth2Credentials.CredentialsChangedListener)

OAuth2Credentials.equals(Object)

OAuth2Credentials.getAccessToken()

OAuth2Credentials.getAuthenticationType()

OAuth2Credentials.getRequestMetadata(URI)

OAuth2Credentials.getRequestMetadata(URI,Executor,RequestMetadataCallback)

OAuth2Credentials.getRequestMetadataInternal()

OAuth2Credentials.hasRequestMetadata()

OAuth2Credentials.hasRequestMetadataOnly()

OAuth2Credentials.hashCode()

OAuth2Credentials.refresh()

OAuth2Credentials.refreshAccessToken()

OAuth2Credentials.refreshIfExpired()

OAuth2Credentials.removeChangeListener(OAuth2Credentials.CredentialsChangedListener)

OAuth2Credentials.toString()

Object.clone()

Object.finalize()

Object.getClass()

Object.notify()

Object.notifyAll()

Object.wait()

Object.wait(long)

Object.wait(long,int)

Static Methods

fromStream(InputStream credentialsStream)

public static ExternalAccountCredentials fromStream(InputStream credentialsStream)

Returns credentials defined by a JSON file stream.

Returns IdentityPoolCredentials or AwsCredentials.

Parameter
Name	Description
`credentialsStream`	`InputStream` the stream with the credential definition

Returns
Type	Description
`ExternalAccountCredentials`	the credential defined by the credentialsStream

Exceptions
Type	Description
`IOException`	if the credential cannot be created from the stream

fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory)

public static ExternalAccountCredentials fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory)

Returns credentials defined by a JSON file stream.

Returns a IdentityPoolCredentials or AwsCredentials.

Parameters
Name	Description
`credentialsStream`	`InputStream` the stream with the credential definition
`transportFactory`	`HttpTransportFactory` the HTTP transport factory used to create the transport to get access tokens

Returns
Type	Description
`ExternalAccountCredentials`	the credential defined by the credentialsStream

Exceptions
Type	Description
`IOException`	if the credential cannot be created from the stream

Constructors

ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, String tokenInfoUrl, String serviceAccountImpersonationUrl, String quotaProjectId, String clientId, String clientSecret, Collection<String> scopes)

protected ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, String tokenInfoUrl, String serviceAccountImpersonationUrl, String quotaProjectId, String clientId, String clientSecret, Collection<String> scopes)

Constructor with minimum identifying information and custom HTTP transport. Does not support workforce credentials.

Parameters
Name	Description
`transportFactory`	`HttpTransportFactory` HTTP transport factory, creates the transport used to get access tokens
`audience`	`String` the Security Token Service audience, which is usually the fully specified resource name of the workload/workforce pool provider
`subjectTokenType`	`String` the Security Token Service subject token type based on the OAuth 2.0 token exchange spec. Indicates the type of the security token in the credential file
`tokenUrl`	`String` the Security Token Service token exchange endpoint
`credentialSource`	`com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource` the external credential source
`tokenInfoUrl`	`String` the endpoint used to retrieve account related information. Required for gCloud session account identification.
`serviceAccountImpersonationUrl`	`String` the URL for the service account impersonation request. This URL is required for some APIs. If this URL is not available, the access token from the Security Token Service is used directly. May be null.
`quotaProjectId`	`String` the project used for quota and billing purposes. May be null.
`clientId`	`String` client ID of the service account from the console. May be null.
`clientSecret`	`String` client secret of the service account from the console. May be null.
`scopes`	`Collection<String>` the scopes to request during the authorization grant. May be null.

ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, String tokenInfoUrl, String serviceAccountImpersonationUrl, String quotaProjectId, String clientId, String clientSecret, Collection<String> scopes, EnvironmentProvider environmentProvider)

protected ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, String tokenInfoUrl, String serviceAccountImpersonationUrl, String quotaProjectId, String clientId, String clientSecret, Collection<String> scopes, EnvironmentProvider environmentProvider)

Constructor with minimum identifying information and custom HTTP transport. Does not support workforce credentials.

Parameters
Name	Description
`transportFactory`	`HttpTransportFactory` HTTP transport factory, creates the transport used to get access tokens
`audience`	`String` the Security Token Service audience, which is usually the fully specified resource name of the workload/workforce pool provider
`subjectTokenType`	`String` the Security Token Service subject token type based on the OAuth 2.0 token exchange spec. Indicates the type of the security token in the credential file
`tokenUrl`	`String` the Security Token Service token exchange endpoint
`credentialSource`	`com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource` the external credential source
`tokenInfoUrl`	`String` the endpoint used to retrieve account related information. Required for gCloud session account identification.
`serviceAccountImpersonationUrl`	`String` the URL for the service account impersonation request. This URL is required for some APIs. If this URL is not available, the access token from the Security Token Service is used directly. May be null.
`quotaProjectId`	`String` the project used for quota and billing purposes. May be null.
`clientId`	`String` client ID of the service account from the console. May be null.
`clientSecret`	`String` client secret of the service account from the console. May be null.
`scopes`	`Collection<String>` the scopes to request during the authorization grant. May be null.
`environmentProvider`	`com.google.auth.oauth2.EnvironmentProvider` the environment provider. May be null. Defaults to SystemEnvironmentProvider.

ExternalAccountCredentials(ExternalAccountCredentials.Builder builder)

protected ExternalAccountCredentials(ExternalAccountCredentials.Builder builder)

Internal constructor with minimum identifying information and custom HTTP transport. See ExternalAccountCredentials.Builder.

Parameter
Name	Description
`builder`	`ExternalAccountCredentials.Builder` the `Builder` object used to construct the credentials.

Fields

impersonatedCredentials

protected final ImpersonatedCredentials impersonatedCredentials

Field Value
Type	Description
`ImpersonatedCredentials`

transportFactory

protected transient HttpTransportFactory transportFactory

Field Value
Type	Description
`HttpTransportFactory`

Methods

exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest stsTokenExchangeRequest)

protected AccessToken exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest stsTokenExchangeRequest)

Exchanges the external credential for a Google Cloud access token.

Parameter
Name	Description
`stsTokenExchangeRequest`	`com.google.auth.oauth2.StsTokenExchangeRequest` the Security Token Service token exchange request

Returns
Type	Description
`AccessToken`	the access token returned by the Security Token Service

Exceptions
Type	Description
`IOException`	if the call to the Security Token Service fails

getAudience()

public String getAudience()

Returns
Type	Description
`String`

getClientId()

public String getClientId()

Returns
Type	Description
`String`

getClientSecret()

public String getClientSecret()

Returns
Type	Description
`String`

getCredentialSource()

public ExternalAccountCredentials.CredentialSource getCredentialSource()

Returns
Type	Description
`com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource`

getRequestMetadata(URI uri)

public Map<String,List<String>> getRequestMetadata(URI uri)

Provide the request metadata by ensuring there is a current access token and providing it as an authorization bearer token.

Parameter
Name	Description
`uri`	`URI`

Returns
Type	Description
`Map<String,List<String>>`

Overrides

OAuth2Credentials.getRequestMetadata(URI uri)

Exceptions
Type	Description
`IOException`

getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)

public void getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)

Get the current request metadata without blocking.

This should be called by the transport layer on each request, and the data should be populated in headers or other context. The implementation can either call the callback inline or asynchronously. Either way it should never block in this method. The executor is provided for tasks that may block.

The default implementation will just call #getRequestMetadata(URI) then the callback from the given executor.

The convention for handling binary data is for the key in the returned map to end with "-bin" and for the corresponding values to be base64 encoded.

Parameters
Name	Description
`uri`	`URI`
`executor`	`Executor`
`callback`	`RequestMetadataCallback`

Overrides

OAuth2Credentials.getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)

getScopes()

public Collection<String> getScopes()

Returns
Type	Description
`Collection<String>`

getServiceAccountEmail()

public String getServiceAccountEmail()

Returns
Type	Description
`String`	The service account email to be impersonated, if available

getServiceAccountImpersonationOptions()

public ExternalAccountCredentials.ServiceAccountImpersonationOptions getServiceAccountImpersonationOptions()

Returns
Type	Description
`com.google.auth.oauth2.ExternalAccountCredentials.ServiceAccountImpersonationOptions`

getServiceAccountImpersonationUrl()

public String getServiceAccountImpersonationUrl()

Returns
Type	Description
`String`

getSubjectTokenType()

public String getSubjectTokenType()

Returns
Type	Description
`String`

getTokenInfoUrl()

public String getTokenInfoUrl()

Returns
Type	Description
`String`

getTokenUrl()

public String getTokenUrl()

Returns
Type	Description
`String`

getWorkforcePoolUserProject()

public String getWorkforcePoolUserProject()

Returns
Type	Description
`String`

isWorkforcePoolConfiguration()

public boolean isWorkforcePoolConfiguration()

Returns
Type	Description
`boolean`	whether the current configuration is for Workforce Pools (which enable 3p user identities, rather than workloads)

retrieveSubjectToken()

public abstract String retrieveSubjectToken()

Retrieves the external subject token to be exchanged for a Google Cloud access token.

Must be implemented by subclasses as the retrieval method is dependent on the credential source.

Returns
Type	Description
`String`	the external subject token

Exceptions
Type	Description
`IOException`	if the subject token cannot be retrieved