public final class DownscopedCredentials extends OAuth2Credentials
DownscopedCredentials enables the ability to downscope, or restrict, the Identity and Access Management (IAM) permissions that a short-lived credential can use for Cloud Storage.
To downscope permissions you must define a CredentialAccessBoundary which specifies the upper bound of permissions that the credential can access. You must also provide a source credential which will be used to acquire the downscoped credential.
Usage:
GoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault()
.createScoped("https://www.googleapis.com/auth/cloud-platform");
CredentialAccessBoundary.AccessBoundaryRule rule =
CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
.setAvailableResource(
"//storage.googleapis.com/projects/_/buckets/bucket")
.addAvailablePermission("inRole:roles/storage.objectViewer")
.build();
DownscopedCredentials downscopedCredentials =
DownscopedCredentials.newBuilder()
.setSourceCredential(sourceCredentials)
.setCredentialAccessBoundary(
CredentialAccessBoundary.newBuilder().addRule(rule).build())
.build();
AccessToken accessToken = downscopedCredentials.refreshAccessToken();
OAuth2Credentials credentials = OAuth2Credentials.create(accessToken);
Storage storage =
StorageOptions.newBuilder().setCredentials(credentials).build().getService();
Blob blob = storage.get(BlobId.of("bucket", "object"));
System.out.printf("Blob %s retrieved.", blob.getBlobId());
Note that OAuth2CredentialsWithRefresh can instead be used to consume the downscoped token, allowing for automatic token refreshes by providing a OAuth2CredentialsWithRefresh.OAuth2RefreshHandler.
Methods
getCredentialAccessBoundary()
public CredentialAccessBoundary getCredentialAccessBoundary()
Type | Description |
CredentialAccessBoundary |
getSourceCredentials()
public GoogleCredentials getSourceCredentials()
Type | Description |
GoogleCredentials |
newBuilder()
public static DownscopedCredentials.Builder newBuilder()
Type | Description |
DownscopedCredentials.Builder |
refreshAccessToken()
public AccessToken refreshAccessToken()
Method to refresh the access token according to the specific type of credentials.
Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.
Type | Description |
AccessToken |
Type | Description |
IOException |