Class IamCredentialsClient (2.0.14)

public class IamCredentialsClient implements BackgroundResource

Service Description: A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.

Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.

This class provides the ability to make remote calls to the backing service through method calls that map to API methods. Sample code to get started:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   List<String> scope = new ArrayList<>();
   Duration lifetime = Duration.newBuilder().build();
   GenerateAccessTokenResponse response =
       iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
 }
 

Note: close() needs to be called on the IamCredentialsClient object to clean up resources such as threads. In the example above, try-with-resources is used, which automatically calls close().

The surface of this class includes several types of Java methods for each of the API's methods:

  1. A "flattened" method. With this type of method, the fields of the request type have been converted into function parameters. It may be the case that not all fields are available as parameters, and not every API method will have a flattened method entry point.
  2. A "request object" method. This type of method only takes one parameter, a request object, which must be constructed before the call. Not every API method will have a request object method.
  3. A "callable" method. This type of method takes no parameters and returns an immutable API callable object, which can be used to initiate calls to the service.

See the individual methods for example code.

Many parameters require resource names to be formatted in a particular way. To assist with these names, this class includes a format method for each type of name, and additionally a parse method to extract the individual identifiers contained within names that are returned.

This class can be customized by passing in a custom instance of IamCredentialsSettings to create(). For example:

To customize credentials:


 IamCredentialsSettings iamCredentialsSettings =
     IamCredentialsSettings.newBuilder()
         .setCredentialsProvider(FixedCredentialsProvider.create(myCredentials))
         .build();
 IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create(iamCredentialsSettings);
 

To customize the endpoint:


 IamCredentialsSettings iamCredentialsSettings =
     IamCredentialsSettings.newBuilder().setEndpoint(myEndpoint).build();
 IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create(iamCredentialsSettings);
 

Please refer to the GitHub repository's samples for more quickstart code snippets.

Inheritance

java.lang.Object > IamCredentialsClient

Implements

BackgroundResource

Static Methods

create()

public static final IamCredentialsClient create()

Constructs an instance of IamCredentialsClient with default settings.

Returns
TypeDescription
IamCredentialsClient
Exceptions
TypeDescription
IOException

create(IamCredentialsSettings settings)

public static final IamCredentialsClient create(IamCredentialsSettings settings)

Constructs an instance of IamCredentialsClient, using the given settings. The channels are created based on the settings passed in, or defaults for any settings that are not set.

Parameter
NameDescription
settingsIamCredentialsSettings
Returns
TypeDescription
IamCredentialsClient
Exceptions
TypeDescription
IOException

create(IamCredentialsStub stub)

public static final IamCredentialsClient create(IamCredentialsStub stub)

Constructs an instance of IamCredentialsClient, using the given stub for making calls. This is for advanced usage - prefer using create(IamCredentialsSettings).

Parameter
NameDescription
stubIamCredentialsStub
Returns
TypeDescription
IamCredentialsClient

Constructors

IamCredentialsClient(IamCredentialsSettings settings)

protected IamCredentialsClient(IamCredentialsSettings settings)

Constructs an instance of IamCredentialsClient, using the given settings. This is protected so that it is easy to make a subclass, but otherwise, the static factory methods should be preferred.

Parameter
NameDescription
settingsIamCredentialsSettings

IamCredentialsClient(IamCredentialsStub stub)

protected IamCredentialsClient(IamCredentialsStub stub)
Parameter
NameDescription
stubIamCredentialsStub

Methods

awaitTermination(long duration, TimeUnit unit)

public boolean awaitTermination(long duration, TimeUnit unit)
Parameters
NameDescription
durationlong
unitTimeUnit
Returns
TypeDescription
boolean
Exceptions
TypeDescription
InterruptedException

close()

public final void close()

generateAccessToken(GenerateAccessTokenRequest request)

public final GenerateAccessTokenResponse generateAccessToken(GenerateAccessTokenRequest request)

Generates an OAuth 2.0 access token for a service account.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   GenerateAccessTokenRequest request =
       GenerateAccessTokenRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .addAllScope(new ArrayList<String>())
           .setLifetime(Duration.newBuilder().build())
           .build();
   GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(request);
 }
 
Parameter
NameDescription
requestGenerateAccessTokenRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
GenerateAccessTokenResponse

generateAccessToken(ServiceAccountName name, List<String> delegates, List<String> scope, Duration lifetime)

public final GenerateAccessTokenResponse generateAccessToken(ServiceAccountName name, List<String> delegates, List<String> scope, Duration lifetime)

Generates an OAuth 2.0 access token for a service account.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   List<String> scope = new ArrayList<>();
   Duration lifetime = Duration.newBuilder().build();
   GenerateAccessTokenResponse response =
       iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
 }
 
Parameters
NameDescription
nameServiceAccountName

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

delegatesList<String>

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

scopeList<String>

Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.

lifetimeDuration

The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.

Returns
TypeDescription
GenerateAccessTokenResponse

generateAccessToken(String name, List<String> delegates, List<String> scope, Duration lifetime)

public final GenerateAccessTokenResponse generateAccessToken(String name, List<String> delegates, List<String> scope, Duration lifetime)

Generates an OAuth 2.0 access token for a service account.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   List<String> delegates = new ArrayList<>();
   List<String> scope = new ArrayList<>();
   Duration lifetime = Duration.newBuilder().build();
   GenerateAccessTokenResponse response =
       iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
 }
 
Parameters
NameDescription
nameString

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

delegatesList<String>

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

scopeList<String>

Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.

lifetimeDuration

The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.

Returns
TypeDescription
GenerateAccessTokenResponse

generateAccessTokenCallable()

public final UnaryCallable<GenerateAccessTokenRequest,GenerateAccessTokenResponse> generateAccessTokenCallable()

Generates an OAuth 2.0 access token for a service account.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   GenerateAccessTokenRequest request =
       GenerateAccessTokenRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .addAllScope(new ArrayList<String>())
           .setLifetime(Duration.newBuilder().build())
           .build();
   ApiFuture<GenerateAccessTokenResponse> future =
       iamCredentialsClient.generateAccessTokenCallable().futureCall(request);
   // Do something.
   GenerateAccessTokenResponse response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<GenerateAccessTokenRequest,GenerateAccessTokenResponse>

generateIdToken(GenerateIdTokenRequest request)

public final GenerateIdTokenResponse generateIdToken(GenerateIdTokenRequest request)

Generates an OpenID Connect ID token for a service account.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   GenerateIdTokenRequest request =
       GenerateIdTokenRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setAudience("audience975628804")
           .setIncludeEmail(true)
           .build();
   GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(request);
 }
 
Parameter
NameDescription
requestGenerateIdTokenRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
GenerateIdTokenResponse

generateIdToken(ServiceAccountName name, List<String> delegates, String audience, boolean includeEmail)

public final GenerateIdTokenResponse generateIdToken(ServiceAccountName name, List<String> delegates, String audience, boolean includeEmail)

Generates an OpenID Connect ID token for a service account.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   String audience = "audience975628804";
   boolean includeEmail = true;
   GenerateIdTokenResponse response =
       iamCredentialsClient.generateIdToken(name, delegates, audience, includeEmail);
 }
 
Parameters
NameDescription
nameServiceAccountName

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

delegatesList<String>

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

audienceString

Required. The audience for the token, such as the API or account that this token grants access to.

includeEmailboolean

Include the service account email in the token. If set to true, the token will contain email and email_verified claims.

Returns
TypeDescription
GenerateIdTokenResponse

generateIdToken(String name, List<String> delegates, String audience, boolean includeEmail)

public final GenerateIdTokenResponse generateIdToken(String name, List<String> delegates, String audience, boolean includeEmail)

Generates an OpenID Connect ID token for a service account.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   List<String> delegates = new ArrayList<>();
   String audience = "audience975628804";
   boolean includeEmail = true;
   GenerateIdTokenResponse response =
       iamCredentialsClient.generateIdToken(name, delegates, audience, includeEmail);
 }
 
Parameters
NameDescription
nameString

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

delegatesList<String>

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

audienceString

Required. The audience for the token, such as the API or account that this token grants access to.

includeEmailboolean

Include the service account email in the token. If set to true, the token will contain email and email_verified claims.

Returns
TypeDescription
GenerateIdTokenResponse

generateIdTokenCallable()

public final UnaryCallable<GenerateIdTokenRequest,GenerateIdTokenResponse> generateIdTokenCallable()

Generates an OpenID Connect ID token for a service account.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   GenerateIdTokenRequest request =
       GenerateIdTokenRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setAudience("audience975628804")
           .setIncludeEmail(true)
           .build();
   ApiFuture<GenerateIdTokenResponse> future =
       iamCredentialsClient.generateIdTokenCallable().futureCall(request);
   // Do something.
   GenerateIdTokenResponse response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<GenerateIdTokenRequest,GenerateIdTokenResponse>

getSettings()

public final IamCredentialsSettings getSettings()
Returns
TypeDescription
IamCredentialsSettings

getStub()

public IamCredentialsStub getStub()
Returns
TypeDescription
IamCredentialsStub

isShutdown()

public boolean isShutdown()
Returns
TypeDescription
boolean

isTerminated()

public boolean isTerminated()
Returns
TypeDescription
boolean

shutdown()

public void shutdown()

shutdownNow()

public void shutdownNow()

signBlob(ServiceAccountName name, List<String> delegates, ByteString payload)

public final SignBlobResponse signBlob(ServiceAccountName name, List<String> delegates, ByteString payload)

Signs a blob using a service account's system-managed private key.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   ByteString payload = ByteString.EMPTY;
   SignBlobResponse response = iamCredentialsClient.signBlob(name, delegates, payload);
 }
 
Parameters
NameDescription
nameServiceAccountName

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

delegatesList<String>

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

payloadByteString

Required. The bytes to sign.

Returns
TypeDescription
SignBlobResponse

signBlob(SignBlobRequest request)

public final SignBlobResponse signBlob(SignBlobRequest request)

Signs a blob using a service account's system-managed private key.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   SignBlobRequest request =
       SignBlobRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setPayload(ByteString.EMPTY)
           .build();
   SignBlobResponse response = iamCredentialsClient.signBlob(request);
 }
 
Parameter
NameDescription
requestSignBlobRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
SignBlobResponse

signBlob(String name, List<String> delegates, ByteString payload)

public final SignBlobResponse signBlob(String name, List<String> delegates, ByteString payload)

Signs a blob using a service account's system-managed private key.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   List<String> delegates = new ArrayList<>();
   ByteString payload = ByteString.EMPTY;
   SignBlobResponse response = iamCredentialsClient.signBlob(name, delegates, payload);
 }
 
Parameters
NameDescription
nameString

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

delegatesList<String>

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

payloadByteString

Required. The bytes to sign.

Returns
TypeDescription
SignBlobResponse

signBlobCallable()

public final UnaryCallable<SignBlobRequest,SignBlobResponse> signBlobCallable()

Signs a blob using a service account's system-managed private key.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   SignBlobRequest request =
       SignBlobRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setPayload(ByteString.EMPTY)
           .build();
   ApiFuture<SignBlobResponse> future =
       iamCredentialsClient.signBlobCallable().futureCall(request);
   // Do something.
   SignBlobResponse response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<SignBlobRequest,SignBlobResponse>

signJwt(ServiceAccountName name, List<String> delegates, String payload)

public final SignJwtResponse signJwt(ServiceAccountName name, List<String> delegates, String payload)

Signs a JWT using a service account's system-managed private key.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   String payload = "payload-786701938";
   SignJwtResponse response = iamCredentialsClient.signJwt(name, delegates, payload);
 }
 
Parameters
NameDescription
nameServiceAccountName

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

delegatesList<String>

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

payloadString

Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.

Returns
TypeDescription
SignJwtResponse

signJwt(SignJwtRequest request)

public final SignJwtResponse signJwt(SignJwtRequest request)

Signs a JWT using a service account's system-managed private key.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   SignJwtRequest request =
       SignJwtRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setPayload("payload-786701938")
           .build();
   SignJwtResponse response = iamCredentialsClient.signJwt(request);
 }
 
Parameter
NameDescription
requestSignJwtRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
SignJwtResponse

signJwt(String name, List<String> delegates, String payload)

public final SignJwtResponse signJwt(String name, List<String> delegates, String payload)

Signs a JWT using a service account's system-managed private key.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   List<String> delegates = new ArrayList<>();
   String payload = "payload-786701938";
   SignJwtResponse response = iamCredentialsClient.signJwt(name, delegates, payload);
 }
 
Parameters
NameDescription
nameString

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

delegatesList<String>

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

payloadString

Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.

Returns
TypeDescription
SignJwtResponse

signJwtCallable()

public final UnaryCallable<SignJwtRequest,SignJwtResponse> signJwtCallable()

Signs a JWT using a service account's system-managed private key.

Sample code:


 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   SignJwtRequest request =
       SignJwtRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setPayload("payload-786701938")
           .build();
   ApiFuture<SignJwtResponse> future =
       iamCredentialsClient.signJwtCallable().futureCall(request);
   // Do something.
   SignJwtResponse response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<SignJwtRequest,SignJwtResponse>