public class ImpersonatedCredentials extends GoogleCredentials implements ServiceAccountSigner, IdTokenProviderImpersonatedCredentials allowing credentials issued to a user or service account to impersonate another. The source project using ImpersonatedCredentials must enable the "IAMCredentials" API. Also, the target service account must grant the originating principal the "Service Account Token Creator" IAM role.
Usage:
String credPath = "/path/to/svc_account.json"; ServiceAccountCredentials sourceCredentials = ServiceAccountCredentials .fromStream(new FileInputStream(credPath)); sourceCredentials = (ServiceAccountCredentials) sourceCredentials .createScoped(Arrays.asList("https://www.googleapis.com/auth/iam"));
ImpersonatedCredentials targetCredentials = ImpersonatedCredentials.create(sourceCredentials, "impersonated-account@project.iam.gserviceaccount.com", null, Arrays.asList("https://www.googleapis.com/auth/devstorage.read_only"), 300);
Storage storage_service = StorageOptions.newBuilder().setProjectId("project-id") .setCredentials(targetCredentials).build().getService();
for (Bucket b : storage_service.list().iterateAll()) System.out.println(b);
Static Methods
create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime)
public static ImpersonatedCredentials create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime)| Parameters | |
|---|---|
| Name | Description |
sourceCredentials |
GoogleCredentialsthe source credential used to acquire the impersonated credentials. It should be either a user account credential or a service account credential. |
targetPrincipal |
Stringthe service account to impersonate |
delegates |
List<String>the chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the preceding identity. For example, if set to [serviceAccountB, serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, sourceCredential must have that role on targetPrincipal. |
scopes |
List<String>scopes to request during the authorization grant |
lifetime |
intnumber of seconds the delegated credential should be valid. By default this value should be at most 3600. However, you can follow these instructions to set up the service account and extend the maximum lifetime to 43200 (12 hours). https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oauth If the given lifetime is 0, default value 3600 will be used instead when creating the credentials. |
| Returns | |
|---|---|
| Type | Description |
ImpersonatedCredentials |
new credentials |
create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime, HttpTransportFactory transportFactory)
public static ImpersonatedCredentials create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime, HttpTransportFactory transportFactory)| Parameters | |
|---|---|
| Name | Description |
sourceCredentials |
GoogleCredentialsthe source credential used to acquire the impersonated credentials. It should be either a user account credential or a service account credential. |
targetPrincipal |
Stringthe service account to impersonate |
delegates |
List<String>the chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the preceding identity. For example, if set to [serviceAccountB, serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If unset, sourceCredential must have that role on targetPrincipal. |
scopes |
List<String>scopes to request during the authorization grant |
lifetime |
intnumber of seconds the delegated credential should be valid. By default this value should be at most 3600. However, you can follow these instructions to set up the service account and extend the maximum lifetime to 43200 (12 hours). If the given lifetime is 0, default value 3600 will be used instead when creating the credentials. |
transportFactory |
HttpTransportFactoryHTTP transport factory that creates the transport used to get access tokens |
| Returns | |
|---|---|
| Type | Description |
ImpersonatedCredentials |
new credentials |
create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime, HttpTransportFactory transportFactory, String quotaProjectId)
public static ImpersonatedCredentials create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime, HttpTransportFactory transportFactory, String quotaProjectId)| Parameters | |
|---|---|
| Name | Description |
sourceCredentials |
GoogleCredentialsthe source credential used to acquire the impersonated credentials. It should be either a user account credential or a service account credential. |
targetPrincipal |
Stringthe service account to impersonate |
delegates |
List<String>the chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the preceding identity. For example, if set to [serviceAccountB, serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If unset, sourceCredential must have that role on targetPrincipal. |
scopes |
List<String>scopes to request during the authorization grant |
lifetime |
intnumber of seconds the delegated credential should be valid. By default this value should be at most 3600. However, you can follow these instructions to set up the service account and extend the maximum lifetime to 43200 (12 hours). If the given lifetime is 0, default value 3600 will be used instead when creating the credentials. |
transportFactory |
HttpTransportFactoryHTTP transport factory that creates the transport used to get access tokens. |
quotaProjectId |
Stringthe project used for quota and billing purposes. Should be null unless the caller wants to use a project different from the one that owns the impersonated credential for billing/quota purposes. |
| Returns | |
|---|---|
| Type | Description |
ImpersonatedCredentials |
new credentials |
create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime, HttpTransportFactory transportFactory, String quotaProjectId, String iamEndpointOverride)
public static ImpersonatedCredentials create(GoogleCredentials sourceCredentials, String targetPrincipal, List<String> delegates, List<String> scopes, int lifetime, HttpTransportFactory transportFactory, String quotaProjectId, String iamEndpointOverride)| Parameters | |
|---|---|
| Name | Description |
sourceCredentials |
GoogleCredentialsthe source credential used to acquire the impersonated credentials. It should be either a user account credential or a service account credential. |
targetPrincipal |
Stringthe service account to impersonate |
delegates |
List<String>the chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the preceding identity. For example, if set to [serviceAccountB, serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If unset, sourceCredential must have that role on targetPrincipal. |
scopes |
List<String>scopes to request during the authorization grant |
lifetime |
intnumber of seconds the delegated credential should be valid. By default this value should be at most 3600. However, you can follow these instructions to set up the service account and extend the maximum lifetime to 43200 (12 hours). If the given lifetime is 0, default value 3600 will be used instead when creating the credentials. |
transportFactory |
HttpTransportFactoryHTTP transport factory that creates the transport used to get access tokens. |
quotaProjectId |
Stringthe project used for quota and billing purposes. Should be null unless the caller wants to use a project different from the one that owns the impersonated credential for billing/quota purposes. |
iamEndpointOverride |
StringThe full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. |
| Returns | |
|---|---|
| Type | Description |
ImpersonatedCredentials |
new credentials |
newBuilder()
public static ImpersonatedCredentials.Builder newBuilder()| Returns | |
|---|---|
| Type | Description |
ImpersonatedCredentials.Builder |
|
Methods
createScoped(Collection<String> scopes)
public GoogleCredentials createScoped(Collection<String> scopes)If the credentials support scopes, creates a copy of the identity with the specified scopes, invalidates the existing scoped access token; otherwise, return the same instance.
| Parameter | |
|---|---|
| Name | Description |
scopes |
Collection<String> |
| Returns | |
|---|---|
| Type | Description |
GoogleCredentials |
|
createScopedRequired()
public boolean createScopedRequired()Indicates whether the credentials require scopes to be specified via a call to GoogleCredentials#createScoped before use.
| Returns | |
|---|---|
| Type | Description |
boolean |
|
createWithCustomCalendar(Calendar calendar)
public ImpersonatedCredentials createWithCustomCalendar(Calendar calendar)Clones the impersonated credentials with a new calendar.
| Parameter | |
|---|---|
| Name | Description |
calendar |
Calendarthe calendar that will be used by the new ImpersonatedCredentials instance when parsing the received expiration time of the refreshed access token |
| Returns | |
|---|---|
| Type | Description |
ImpersonatedCredentials |
the cloned impersonated credentials with the given custom calendar |
equals(Object obj)
public boolean equals(Object obj)| Parameter | |
|---|---|
| Name | Description |
obj |
Object |
| Returns | |
|---|---|
| Type | Description |
boolean |
|
getAccount()
public String getAccount()Returns the email field of the serviceAccount that is being impersonated.
| Returns | |
|---|---|
| Type | Description |
String |
email address of the impersonated service account |
getMetricsCredentialType()
public CredentialTypeForMetrics getMetricsCredentialType()Gets the credential type used for internal metrics header.
The default is CredentialTypeForMetrics.DO_NOT_SEND. For a credential that is
established to track for metrics, this default should be overridden.
| Returns | |
|---|---|
| Type | Description |
CredentialTypeForMetrics |
|
getSourceCredentials()
public GoogleCredentials getSourceCredentials()| Returns | |
|---|---|
| Type | Description |
GoogleCredentials |
|
getUniverseDomain()
public String getUniverseDomain()Gets the universe domain for the credential.
| Returns | |
|---|---|
| Type | Description |
String |
the universe domain from source credentials |
| Exceptions | |
|---|---|
| Type | Description |
IOException |
|
hashCode()
public int hashCode()| Returns | |
|---|---|
| Type | Description |
int |
|
idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options)
public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options)Returns an IdToken for the current Credential.
| Parameters | |
|---|---|
| Name | Description |
targetAudience |
Stringthe audience field for the issued ID token |
options |
List<Option>credential specific options for for the token. For example, an ID token for an
ImpersonatedCredentials can return the email address within the token claims if
"ImpersonatedCredentials.INCLUDE_EMAIL" is provided as a list option. |
| Returns | |
|---|---|
| Type | Description |
IdToken |
IdToken object which includes the raw id_token, expiration, and audience |
| Exceptions | |
|---|---|
| Type | Description |
IOException |
if the attempt to get an ID token failed |
refreshAccessToken()
public AccessToken refreshAccessToken()Method to refresh the access token according to the specific type of credentials.
Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.
| Returns | |
|---|---|
| Type | Description |
AccessToken |
|
| Exceptions | |
|---|---|
| Type | Description |
IOException |
|
setTransportFactory(HttpTransportFactory httpTransportFactory)
public void setTransportFactory(HttpTransportFactory httpTransportFactory)| Parameter | |
|---|---|
| Name | Description |
httpTransportFactory |
HttpTransportFactory |
sign(byte[] toSign)
public byte[] sign(byte[] toSign)Signs the provided bytes using the private key associated with the impersonated service account See Also: Blob Signing
| Parameter | |
|---|---|
| Name | Description |
toSign |
byte[]bytes to sign |
| Returns | |
|---|---|
| Type | Description |
byte[] |
signed bytes |
toBuilder()
public ImpersonatedCredentials.Builder toBuilder()| Returns | |
|---|---|
| Type | Description |
ImpersonatedCredentials.Builder |
|
toString()
public String toString()| Returns | |
|---|---|
| Type | Description |
String |
|