Class ServiceAccountCredentials (1.20.0)

public class ServiceAccountCredentials extends GoogleCredentials implements ServiceAccountSigner, IdTokenProvider, JwtProvider

OAuth2 credentials representing a Service Account for calling Google APIs.

By default uses a JSON Web Token (JWT) to fetch access tokens.

Inheritance

Object > Credentials > OAuth2Credentials > GoogleCredentials > ServiceAccountCredentials

Static Methods

fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes)

public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes)

Factory with minimum identifying information using PKCS#8 for the private key.

Parameters
NameDescription
clientIdString

Client ID of the service account from the console. May be null.

clientEmailString

Client email address of the service account from the console.

privateKeyPkcs8String

RSA private key object for the service account in PKCS#8 format.

privateKeyIdString

Private key identifier for the service account. May be null.

scopesCollection<String>

Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

Returns
TypeDescription
ServiceAccountCredentials

New ServiceAccountCredentials created from a private key.

Exceptions
TypeDescription
IOException

if the credential cannot be created from the private key.

fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri)

public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri)

Factory with minimum identifying information and custom transport using PKCS#8 for the private key.

Parameters
NameDescription
clientIdString

Client ID of the service account from the console. May be null.

clientEmailString

Client email address of the service account from the console.

privateKeyPkcs8String

RSA private key object for the service account in PKCS#8 format.

privateKeyIdString

Private key identifier for the service account. May be null.

scopesCollection<String>

Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

transportFactoryHttpTransportFactory

HTTP transport factory, creates the transport used to get access tokens.

tokenServerUriURI

URI of the end point that provides tokens.

Returns
TypeDescription
ServiceAccountCredentials

New ServiceAccountCredentials created from a private key.

Exceptions
TypeDescription
IOException

if the credential cannot be created from the private key.

fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri, String serviceAccountUser)

public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri, String serviceAccountUser)

Factory with minimum identifying information and custom transport using PKCS#8 for the private key.

Parameters
NameDescription
clientIdString

Client ID of the service account from the console. May be null.

clientEmailString

Client email address of the service account from the console.

privateKeyPkcs8String

RSA private key object for the service account in PKCS#8 format.

privateKeyIdString

Private key identifier for the service account. May be null.

scopesCollection<String>

Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

transportFactoryHttpTransportFactory

HTTP transport factory, creates the transport used to get access tokens.

tokenServerUriURI

URI of the end point that provides tokens.

serviceAccountUserString

The email of the user account to impersonate, if delegating domain-wide authority to the service account.

Returns
TypeDescription
ServiceAccountCredentials

New ServiceAccountCredentials created from a private key.

Exceptions
TypeDescription
IOException

if the credential cannot be created from the private key.

fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes)

public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes)

Factory with minimum identifying information using PKCS#8 for the private key.

Parameters
NameDescription
clientIdString

client ID of the service account from the console. May be null.

clientEmailString

client email address of the service account from the console

privateKeyPkcs8String

RSA private key object for the service account in PKCS#8 format.

privateKeyIdString

private key identifier for the service account. May be null.

scopesCollection<String>

scope strings for the APIs to be called. May be null or an empty collection.

defaultScopesCollection<String>

default scope strings for the APIs to be called. May be null or an empty.

Returns
TypeDescription
ServiceAccountCredentials

new ServiceAccountCredentials created from a private key

Exceptions
TypeDescription
IOException

if the credential cannot be created from the private key

fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes, HttpTransportFactory transportFactory, URI tokenServerUri)

public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes, HttpTransportFactory transportFactory, URI tokenServerUri)

Factory with minimum identifying information and custom transport using PKCS#8 for the private key.

Parameters
NameDescription
clientIdString

client ID of the service account from the console. May be null.

clientEmailString

client email address of the service account from the console

privateKeyPkcs8String

RSA private key object for the service account in PKCS#8 format.

privateKeyIdString

private key identifier for the service account. May be null.

scopesCollection<String>

scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

defaultScopesCollection<String>

default scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

transportFactoryHttpTransportFactory

HTTP transport factory, creates the transport used to get access tokens.

tokenServerUriURI

URI of the end point that provides tokens

Returns
TypeDescription
ServiceAccountCredentials

new ServiceAccountCredentials created from a private key

Exceptions
TypeDescription
IOException

if the credential cannot be created from the private key

fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes, HttpTransportFactory transportFactory, URI tokenServerUri, String serviceAccountUser)

public static ServiceAccountCredentials fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, Collection<String> defaultScopes, HttpTransportFactory transportFactory, URI tokenServerUri, String serviceAccountUser)

Factory with minimum identifying information and custom transport using PKCS#8 for the private key.

Parameters
NameDescription
clientIdString

client ID of the service account from the console. May be null.

clientEmailString

client email address of the service account from the console

privateKeyPkcs8String

RSA private key object for the service account in PKCS#8 format.

privateKeyIdString

private key identifier for the service account. May be null.

scopesCollection<String>

scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

defaultScopesCollection<String>

default scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

transportFactoryHttpTransportFactory

HTTP transport factory, creates the transport used to get access tokens.

tokenServerUriURI

URI of the end point that provides tokens

serviceAccountUserString

the email of the user account to impersonate, if delegating domain-wide authority to the service account.

Returns
TypeDescription
ServiceAccountCredentials

new ServiceAccountCredentials created from a private key

Exceptions
TypeDescription
IOException

if the credential cannot be created from the private key

fromStream(InputStream credentialsStream)

public static ServiceAccountCredentials fromStream(InputStream credentialsStream)

Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.

Parameter
NameDescription
credentialsStreamInputStream

the stream with the credential definition.

Returns
TypeDescription
ServiceAccountCredentials

the credential defined by the credentialsStream.

Exceptions
TypeDescription
IOException

if the credential cannot be created from the stream.

fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory)

public static ServiceAccountCredentials fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory)

Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.

Parameters
NameDescription
credentialsStreamInputStream

the stream with the credential definition.

transportFactoryHttpTransportFactory

HTTP transport factory, creates the transport used to get access tokens.

Returns
TypeDescription
ServiceAccountCredentials

the credential defined by the credentialsStream.

Exceptions
TypeDescription
IOException

if the credential cannot be created from the stream.

newBuilder()

public static ServiceAccountCredentials.Builder newBuilder()
Returns
TypeDescription
ServiceAccountCredentials.Builder

Methods

createDelegated(String user)

public GoogleCredentials createDelegated(String user)

If the credentials support domain-wide delegation, creates a copy of the identity so that it impersonates the specified user; otherwise, returns the same instance.

Parameter
NameDescription
userString
Returns
TypeDescription
GoogleCredentials
Overrides

createScoped(Collection<String> newScopes)

public GoogleCredentials createScoped(Collection<String> newScopes)

Clones the service account with the specified scopes.

Should be called before use for instances with empty scopes.

Parameter
NameDescription
newScopesCollection<String>
Returns
TypeDescription
GoogleCredentials
Overrides

createScoped(Collection<String> newScopes, Collection<String> newDefaultScopes)

public GoogleCredentials createScoped(Collection<String> newScopes, Collection<String> newDefaultScopes)

Clones the service account with the specified scopes.

Should be called before use for instances with empty scopes.

Parameters
NameDescription
newScopesCollection<String>
newDefaultScopesCollection<String>
Returns
TypeDescription
GoogleCredentials
Overrides

createScopedRequired()

public boolean createScopedRequired()

Returns whether the scopes are empty, meaning createScoped must be called before use.

Returns
TypeDescription
boolean
Overrides

createWithCustomLifetime(int lifetime)

public ServiceAccountCredentials createWithCustomLifetime(int lifetime)

Clones the service account with a new lifetime value.

Parameter
NameDescription
lifetimeint

life time value in seconds. The value should be at most 43200 (12 hours). If the token is used for calling a Google API, then the value should be at most 3600 (1 hour). If the given value is 0, then the default value 3600 will be used when creating the credentials.

Returns
TypeDescription
ServiceAccountCredentials

the cloned service account credentials with the given custom life time

createWithCustomRetryStrategy(boolean defaultRetriesEnabled)

public ServiceAccountCredentials createWithCustomRetryStrategy(boolean defaultRetriesEnabled)

Clones the service account with the specified default retries.

Parameter
NameDescription
defaultRetriesEnabledboolean

a flag enabling or disabling default retries

Returns
TypeDescription
ServiceAccountCredentials

GoogleCredentials with the specified retry configuration.

Overrides

createWithUseJwtAccessWithScope(boolean useJwtAccessWithScope)

public ServiceAccountCredentials createWithUseJwtAccessWithScope(boolean useJwtAccessWithScope)

Clones the service account with a new useJwtAccessWithScope value.

Parameter
NameDescription
useJwtAccessWithScopeboolean

whether self signed JWT with scopes should be used

Returns
TypeDescription
ServiceAccountCredentials

the cloned service account credentials with the given useJwtAccessWithScope

equals(Object obj)

public boolean equals(Object obj)
Parameter
NameDescription
objObject
Returns
TypeDescription
boolean
Overrides

getAccount()

public String getAccount()

Returns the service account associated with the signer.

Returns
TypeDescription
String

getClientEmail()

public final String getClientEmail()
Returns
TypeDescription
String

getClientId()

public final String getClientId()
Returns
TypeDescription
String

getDefaultScopes()

public final Collection<String> getDefaultScopes()
Returns
TypeDescription
Collection<String>

getPrivateKey()

public final PrivateKey getPrivateKey()
Returns
TypeDescription
PrivateKey

getPrivateKeyId()

public final String getPrivateKeyId()
Returns
TypeDescription
String

getProjectId()

public final String getProjectId()
Returns
TypeDescription
String

getRequestMetadata(URI uri)

public Map<String,List<String>> getRequestMetadata(URI uri)

Provide the request metadata by putting an access JWT directly in the metadata.

Parameter
NameDescription
uriURI
Returns
TypeDescription
Map<String,List<String>>
Overrides
Exceptions
TypeDescription
IOException

getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)

public void getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)

Get the current request metadata without blocking.

This should be called by the transport layer on each request, and the data should be populated in headers or other context. The implementation can either call the callback inline or asynchronously. Either way it should never block in this method. The executor is provided for tasks that may block.

The default implementation will just call #getRequestMetadata(URI) then the callback from the given executor.

The convention for handling binary data is for the key in the returned map to end with "-bin" and for the corresponding values to be base64 encoded.

Parameters
NameDescription
uriURI
executorExecutor
callbackRequestMetadataCallback
Overrides

getScopes()

public final Collection<String> getScopes()
Returns
TypeDescription
Collection<String>

getServiceAccountUser()

public final String getServiceAccountUser()
Returns
TypeDescription
String

getTokenServerUri()

public final URI getTokenServerUri()
Returns
TypeDescription
URI

getUseJwtAccessWithScope()

public boolean getUseJwtAccessWithScope()
Returns
TypeDescription
boolean

hashCode()

public int hashCode()
Returns
TypeDescription
int
Overrides

idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options)

public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options)

Returns a Google ID Token from the metadata server on ComputeEngine.

Parameters
NameDescription
targetAudienceString

the aud: field the IdToken should include.

optionsList<Option>

list of Credential specific options for the token. Currently, unused for ServiceAccountCredentials.

Returns
TypeDescription
IdToken

IdToken object which includes the raw id_token, expiration and audience

Exceptions
TypeDescription
IOException

if the attempt to get an IdToken failed

jwtWithClaims(JwtClaims newClaims)

public JwtCredentials jwtWithClaims(JwtClaims newClaims)

Returns a new JwtCredentials instance with modified claims.

Parameter
NameDescription
newClaimsJwtClaims

new claims. Any unspecified claim fields will default to the the current values.

Returns
TypeDescription
JwtCredentials

new credentials

refreshAccessToken()

public AccessToken refreshAccessToken()

Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).

Returns
TypeDescription
AccessToken
Overrides
Exceptions
TypeDescription
IOException

sign(byte[] toSign)

public byte[] sign(byte[] toSign)

Signs the provided bytes using the private key associated with the service account.

Parameter
NameDescription
toSignbyte[]
Returns
TypeDescription
byte[]

toBuilder()

public ServiceAccountCredentials.Builder toBuilder()
Returns
TypeDescription
ServiceAccountCredentials.Builder
Overrides

toString()

public String toString()
Returns
TypeDescription
String
Overrides