public class ServiceAccountCredentials extends GoogleCredentials implements ServiceAccountSigner, IdTokenProvider, JwtProvider
OAuth2 credentials representing a Service Account for calling Google APIs.
By default uses a JSON Web Token (JWT) to fetch access tokens.
Inheritance
Object > Credentials > OAuth2Credentials > GoogleCredentials > ServiceAccountCredentialsStatic Methods
fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes)
public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes)
Factory with minimum identifying information using PKCS#8 for the private key.
Parameters | |
---|---|
Name | Description |
clientId |
String Client ID of the service account from the console. May be null. |
clientEmail |
String Client email address of the service account from the console. |
privateKeyPkcs8 |
String RSA private key object for the service account in PKCS#8 format. |
privateKeyId |
String Private key identifier for the service account. May be null. |
scopes |
Collection<String> Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use. |
Returns | |
---|---|
Type | Description |
ServiceAccountCredentials |
New ServiceAccountCredentials created from a private key. |
Exceptions | |
---|---|
Type | Description |
IOException |
if the credential cannot be created from the private key. |
fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri)
public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri)
Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
Parameters | |
---|---|
Name | Description |
clientId |
String Client ID of the service account from the console. May be null. |
clientEmail |
String Client email address of the service account from the console. |
privateKeyPkcs8 |
String RSA private key object for the service account in PKCS#8 format. |
privateKeyId |
String Private key identifier for the service account. May be null. |
scopes |
Collection<String> Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use. |
transportFactory |
HttpTransportFactory HTTP transport factory, creates the transport used to get access tokens. |
tokenServerUri |
URI URI of the end point that provides tokens. |
Returns | |
---|---|
Type | Description |
ServiceAccountCredentials |
New ServiceAccountCredentials created from a private key. |
Exceptions | |
---|---|
Type | Description |
IOException |
if the credential cannot be created from the private key. |
fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri, String serviceAccountUser)
public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri, String serviceAccountUser)
Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
Parameters | |
---|---|
Name | Description |
clientId |
String Client ID of the service account from the console. May be null. |
clientEmail |
String Client email address of the service account from the console. |
privateKeyPkcs8 |
String RSA private key object for the service account in PKCS#8 format. |
privateKeyId |
String Private key identifier for the service account. May be null. |
scopes |
Collection<String> Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use. |
transportFactory |
HttpTransportFactory HTTP transport factory, creates the transport used to get access tokens. |
tokenServerUri |
URI URI of the end point that provides tokens. |
serviceAccountUser |
String The email of the user account to impersonate, if delegating domain-wide authority to the service account. |
Returns | |
---|---|
Type | Description |
ServiceAccountCredentials |
New ServiceAccountCredentials created from a private key. |
Exceptions | |
---|---|
Type | Description |
IOException |
if the credential cannot be created from the private key. |
fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes)
public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes)
Factory with minimum identifying information using PKCS#8 for the private key.
Parameters | |
---|---|
Name | Description |
clientId |
String client ID of the service account from the console. May be null. |
clientEmail |
String client email address of the service account from the console |
privateKeyPkcs8 |
String RSA private key object for the service account in PKCS#8 format. |
privateKeyId |
String private key identifier for the service account. May be null. |
scopes |
Collection<String> scope strings for the APIs to be called. May be null or an empty collection. |
defaultScopes |
Collection<String> default scope strings for the APIs to be called. May be null or an empty. |
Returns | |
---|---|
Type | Description |
ServiceAccountCredentials |
new ServiceAccountCredentials created from a private key |
Exceptions | |
---|---|
Type | Description |
IOException |
if the credential cannot be created from the private key |
fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes, HttpTransportFactory transportFactory, URI tokenServerUri)
public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes, HttpTransportFactory transportFactory, URI tokenServerUri)
Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
Parameters | |
---|---|
Name | Description |
clientId |
String client ID of the service account from the console. May be null. |
clientEmail |
String client email address of the service account from the console |
privateKeyPkcs8 |
String RSA private key object for the service account in PKCS#8 format. |
privateKeyId |
String private key identifier for the service account. May be null. |
scopes |
Collection<String> scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use. |
defaultScopes |
Collection<String> default scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use. |
transportFactory |
HttpTransportFactory HTTP transport factory, creates the transport used to get access tokens. |
tokenServerUri |
URI URI of the end point that provides tokens |
Returns | |
---|---|
Type | Description |
ServiceAccountCredentials |
new ServiceAccountCredentials created from a private key |
Exceptions | |
---|---|
Type | Description |
IOException |
if the credential cannot be created from the private key |
fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes, HttpTransportFactory transportFactory, URI tokenServerUri, String serviceAccountUser)
public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes, HttpTransportFactory transportFactory, URI tokenServerUri, String serviceAccountUser)
Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
Parameters | |
---|---|
Name | Description |
clientId |
String client ID of the service account from the console. May be null. |
clientEmail |
String client email address of the service account from the console |
privateKeyPkcs8 |
String RSA private key object for the service account in PKCS#8 format. |
privateKeyId |
String private key identifier for the service account. May be null. |
scopes |
Collection<String> scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use. |
defaultScopes |
Collection<String> default scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use. |
transportFactory |
HttpTransportFactory HTTP transport factory, creates the transport used to get access tokens. |
tokenServerUri |
URI URI of the end point that provides tokens |
serviceAccountUser |
String the email of the user account to impersonate, if delegating domain-wide authority to the service account. |
Returns | |
---|---|
Type | Description |
ServiceAccountCredentials |
new ServiceAccountCredentials created from a private key |
Exceptions | |
---|---|
Type | Description |
IOException |
if the credential cannot be created from the private key |
fromStream(InputStream credentialsStream)
public static ServiceAccountCredentials fromStream(InputStream credentialsStream)
Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.
Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to {@link documentation}.
Parameter | |
---|---|
Name | Description |
credentialsStream |
InputStream the stream with the credential definition. |
Returns | |
---|---|
Type | Description |
ServiceAccountCredentials |
the credential defined by the credentialsStream. |
Exceptions | |
---|---|
Type | Description |
IOException |
if the credential cannot be created from the stream. |
fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory)
public static ServiceAccountCredentials fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory)
Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.
Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to {@link documentation}.
Parameters | |
---|---|
Name | Description |
credentialsStream |
InputStream the stream with the credential definition. |
transportFactory |
HttpTransportFactory HTTP transport factory, creates the transport used to get access tokens. |
Returns | |
---|---|
Type | Description |
ServiceAccountCredentials |
the credential defined by the credentialsStream. |
Exceptions | |
---|---|
Type | Description |
IOException |
if the credential cannot be created from the stream. |
newBuilder()
public static ServiceAccountCredentials.Builder newBuilder()
Returns | |
---|---|
Type | Description |
ServiceAccountCredentials.Builder |
Methods
createDelegated(String user)
public GoogleCredentials createDelegated(String user)
If the credentials support domain-wide delegation, creates a copy of the identity so that it impersonates the specified user; otherwise, returns the same instance.
Parameter | |
---|---|
Name | Description |
user |
String |
Returns | |
---|---|
Type | Description |
GoogleCredentials |
createScoped(Collection<String> newScopes)
public GoogleCredentials createScoped(Collection<String> newScopes)
Clones the service account with the specified scopes.
Should be called before use for instances with empty scopes.
Parameter | |
---|---|
Name | Description |
newScopes |
Collection<String> |
Returns | |
---|---|
Type | Description |
GoogleCredentials |
createScoped(Collection<String> newScopes, Collection<String> newDefaultScopes)
public GoogleCredentials createScoped(Collection<String> newScopes, Collection<String> newDefaultScopes)
Clones the service account with the specified scopes. The Access Token is invalidated even if the same scopes are provided. Access Tokens contain information of the internal values (i.e. scope). If an internal value (scope) is modified, then the existing Access Token is no longer valid and should not be re-used.
Should be called before use for instances with empty scopes.
Parameters | |
---|---|
Name | Description |
newScopes |
Collection<String> |
newDefaultScopes |
Collection<String> |
Returns | |
---|---|
Type | Description |
GoogleCredentials |
createScopedRequired()
public boolean createScopedRequired()
Returns whether the scopes are empty, meaning createScoped must be called before use.
Returns | |
---|---|
Type | Description |
boolean |
createWithCustomLifetime(int lifetime)
public ServiceAccountCredentials createWithCustomLifetime(int lifetime)
Clones the service account with a new lifetime value.
Parameter | |
---|---|
Name | Description |
lifetime |
int life time value in seconds. The value should be at most 43200 (12 hours). If the token is used for calling a Google API, then the value should be at most 3600 (1 hour). If the given value is 0, then the default value 3600 will be used when creating the credentials. |
Returns | |
---|---|
Type | Description |
ServiceAccountCredentials |
the cloned service account credentials with the given custom life time |
createWithCustomRetryStrategy(boolean defaultRetriesEnabled)
public ServiceAccountCredentials createWithCustomRetryStrategy(boolean defaultRetriesEnabled)
Clones the service account with the specified default retries.
Parameter | |
---|---|
Name | Description |
defaultRetriesEnabled |
boolean a flag enabling or disabling default retries |
Returns | |
---|---|
Type | Description |
ServiceAccountCredentials |
GoogleCredentials with the specified retry configuration. |
createWithUseJwtAccessWithScope(boolean useJwtAccessWithScope)
public ServiceAccountCredentials createWithUseJwtAccessWithScope(boolean useJwtAccessWithScope)
Clones the service account with a new useJwtAccessWithScope value. This flag will be ignored if universeDomain field is different from Credentials#GOOGLE_DEFAULT_UNIVERSE.
Parameter | |
---|---|
Name | Description |
useJwtAccessWithScope |
boolean whether self-signed JWT with scopes should be used |
Returns | |
---|---|
Type | Description |
ServiceAccountCredentials |
the cloned service account credentials with the given useJwtAccessWithScope |
equals(Object obj)
public boolean equals(Object obj)
Parameter | |
---|---|
Name | Description |
obj |
Object |
Returns | |
---|---|
Type | Description |
boolean |
getAccount()
public String getAccount()
Returns the service account associated with the signer.
Returns | |
---|---|
Type | Description |
String |
getClientEmail()
public final String getClientEmail()
Returns | |
---|---|
Type | Description |
String |
getClientId()
public final String getClientId()
Returns | |
---|---|
Type | Description |
String |
getDefaultScopes()
public final Collection<String> getDefaultScopes()
Returns | |
---|---|
Type | Description |
Collection<String> |
getMetricsCredentialType()
public CredentialTypeForMetrics getMetricsCredentialType()
Gets the credential type used for internal metrics header.
The default is CredentialTypeForMetrics.DO_NOT_SEND
. For a credential that is
established to track for metrics, this default should be overridden.
Returns | |
---|---|
Type | Description |
CredentialTypeForMetrics |
getPrivateKey()
public final PrivateKey getPrivateKey()
Returns | |
---|---|
Type | Description |
PrivateKey |
getPrivateKeyId()
public final String getPrivateKeyId()
Returns | |
---|---|
Type | Description |
String |
getProjectId()
public final String getProjectId()
Returns | |
---|---|
Type | Description |
String |
getRequestMetadata(URI uri)
public Map<String,List<String>> getRequestMetadata(URI uri)
Provide the request metadata by putting an access JWT directly in the metadata.
Parameter | |
---|---|
Name | Description |
uri |
URI |
Returns | |
---|---|
Type | Description |
Map<String,List<String>> |
Exceptions | |
---|---|
Type | Description |
IOException |
getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)
public void getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)
Get the current request metadata without blocking.
This should be called by the transport layer on each request, and the data should be populated in headers or other context. The implementation can either call the callback inline or asynchronously. Either way it should never block in this method. The executor is provided for tasks that may block.
The default implementation will just call #getRequestMetadata(URI) then the callback from the given executor.
The convention for handling binary data is for the key in the returned map to end with
"-bin"
and for the corresponding values to be base64 encoded.
Parameters | |
---|---|
Name | Description |
uri |
URI |
executor |
Executor |
callback |
RequestMetadataCallback |
getScopes()
public final Collection<String> getScopes()
Returns | |
---|---|
Type | Description |
Collection<String> |
getServiceAccountUser()
public final String getServiceAccountUser()
Returns | |
---|---|
Type | Description |
String |
getTokenServerUri()
public final URI getTokenServerUri()
Returns | |
---|---|
Type | Description |
URI |
getUseJwtAccessWithScope()
public boolean getUseJwtAccessWithScope()
Returns | |
---|---|
Type | Description |
boolean |
hashCode()
public int hashCode()
Returns | |
---|---|
Type | Description |
int |
idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options)
public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options)
Returns a Google ID Token from either the Oauth or IAM Endpoint. For Credentials that are in the Google Default Universe (googleapis.com), the ID Token will be retrieved from the Oauth Endpoint. Otherwise, it will be retrieved from the IAM Endpoint.
Parameters | |
---|---|
Name | Description |
targetAudience |
String the aud: field the IdToken should include. |
options |
List<Option> list of Credential specific options for the token. Currently, unused for ServiceAccountCredentials. |
Returns | |
---|---|
Type | Description |
IdToken |
IdToken object which includes the raw id_token, expiration and audience |
Exceptions | |
---|---|
Type | Description |
IOException |
if the attempt to get an IdToken failed |
jwtWithClaims(JwtClaims newClaims)
public JwtCredentials jwtWithClaims(JwtClaims newClaims)
Returns a new JwtCredentials instance with modified claims.
Parameter | |
---|---|
Name | Description |
newClaims |
JwtClaims new claims. Any unspecified claim fields will default to the current values. |
Returns | |
---|---|
Type | Description |
JwtCredentials |
new credentials |
refreshAccessToken()
public AccessToken refreshAccessToken()
Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).
Returns | |
---|---|
Type | Description |
AccessToken |
Exceptions | |
---|---|
Type | Description |
IOException |
sign(byte[] toSign)
public byte[] sign(byte[] toSign)
Signs the provided bytes using the private key associated with the service account.
Parameter | |
---|---|
Name | Description |
toSign |
byte[] |
Returns | |
---|---|
Type | Description |
byte[] |
toBuilder()
public ServiceAccountCredentials.Builder toBuilder()
Returns | |
---|---|
Type | Description |
ServiceAccountCredentials.Builder |
toStringHelper()
protected MoreObjects.ToStringHelper toStringHelper()
A helper for overriding the toString() method. This allows inheritance of super class fields. Extending classes can override this implementation and call super implementation and add more fields. Same cannot be done with overriding the toString() directly.
Returns | |
---|---|
Type | Description |
com.google.common.base.MoreObjects.ToStringHelper |