public abstract class ExternalAccountCredentials extends GoogleCredentialsBase external account credentials class.
Handles initializing external credentials, calls to the Security Token Service, and service account impersonation.
Inheritance
java.lang.Object > Credentials > OAuth2Credentials > GoogleCredentials > ExternalAccountCredentialsStatic Methods
fromStream(InputStream credentialsStream)
public static ExternalAccountCredentials fromStream(InputStream credentialsStream)Returns credentials defined by a JSON file stream.
Returns IdentityPoolCredentials or AwsCredentials.
Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to {@link documentation}.
| Parameter | |
|---|---|
| Name | Description | 
| credentialsStream | InputStreamthe stream with the credential definition | 
| Returns | |
|---|---|
| Type | Description | 
| ExternalAccountCredentials | the credential defined by the credentialsStream | 
| Exceptions | |
|---|---|
| Type | Description | 
| IOException | if the credential cannot be created from the stream | 
fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory)
public static ExternalAccountCredentials fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory)Returns credentials defined by a JSON file stream.
Returns a IdentityPoolCredentials or AwsCredentials.
Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to {@link documentation}.
| Parameters | |
|---|---|
| Name | Description | 
| credentialsStream | InputStreamthe stream with the credential definition | 
| transportFactory | HttpTransportFactorythe HTTP transport factory used to create the transport to get access tokens | 
| Returns | |
|---|---|
| Type | Description | 
| ExternalAccountCredentials | the credential defined by the credentialsStream | 
| Exceptions | |
|---|---|
| Type | Description | 
| IOException | if the credential cannot be created from the stream | 
Constructors
ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, String tokenInfoUrl, String serviceAccountImpersonationUrl, String quotaProjectId, String clientId, String clientSecret, Collection<String> scopes)
protected ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, String tokenInfoUrl, String serviceAccountImpersonationUrl, String quotaProjectId, String clientId, String clientSecret, Collection<String> scopes)Constructor with minimum identifying information and custom HTTP transport. Does not support workforce credentials.
| Parameters | |
|---|---|
| Name | Description | 
| transportFactory | HttpTransportFactoryHTTP transport factory, creates the transport used to get access tokens | 
| audience | Stringthe Security Token Service audience, which is usually the fully specified resource name of the workload/workforce pool provider | 
| subjectTokenType | Stringthe Security Token Service subject token type based on the OAuth 2.0 token exchange spec. Indicates the type of the security token in the credential file | 
| tokenUrl | Stringthe Security Token Service token exchange endpoint | 
| credentialSource | com.google.auth.oauth2.ExternalAccountCredentials.CredentialSourcethe external credential source | 
| tokenInfoUrl | Stringthe endpoint used to retrieve account related information. Required for gCloud session account identification. | 
| serviceAccountImpersonationUrl | Stringthe URL for the service account impersonation request. This URL is required for some APIs. If this URL is not available, the access token from the Security Token Service is used directly. May be null. | 
| quotaProjectId | Stringthe project used for quota and billing purposes. May be null. | 
| clientId | Stringclient ID of the service account from the console. May be null. | 
| clientSecret | Stringclient secret of the service account from the console. May be null. | 
| scopes | Collection<String>the scopes to request during the authorization grant. May be null. | 
ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, String tokenInfoUrl, String serviceAccountImpersonationUrl, String quotaProjectId, String clientId, String clientSecret, Collection<String> scopes, EnvironmentProvider environmentProvider)
protected ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, String tokenInfoUrl, String serviceAccountImpersonationUrl, String quotaProjectId, String clientId, String clientSecret, Collection<String> scopes, EnvironmentProvider environmentProvider)Constructor with minimum identifying information and custom HTTP transport. Does not support workforce credentials.
| Parameters | |
|---|---|
| Name | Description | 
| transportFactory | HttpTransportFactoryHTTP transport factory, creates the transport used to get access tokens | 
| audience | Stringthe Security Token Service audience, which is usually the fully specified resource name of the workload/workforce pool provider | 
| subjectTokenType | Stringthe Security Token Service subject token type based on the OAuth 2.0 token exchange spec. Indicates the type of the security token in the credential file | 
| tokenUrl | Stringthe Security Token Service token exchange endpoint | 
| credentialSource | com.google.auth.oauth2.ExternalAccountCredentials.CredentialSourcethe external credential source | 
| tokenInfoUrl | Stringthe endpoint used to retrieve account related information. Required for gCloud session account identification. | 
| serviceAccountImpersonationUrl | Stringthe URL for the service account impersonation request. This URL is required for some APIs. If this URL is not available, the access token from the Security Token Service is used directly. May be null. | 
| quotaProjectId | Stringthe project used for quota and billing purposes. May be null. | 
| clientId | Stringclient ID of the service account from the console. May be null. | 
| clientSecret | Stringclient secret of the service account from the console. May be null. | 
| scopes | Collection<String>the scopes to request during the authorization grant. May be null. | 
| environmentProvider | com.google.auth.oauth2.EnvironmentProviderthe environment provider. May be null. Defaults to SystemEnvironmentProvider. | 
ExternalAccountCredentials(ExternalAccountCredentials.Builder builder)
protected ExternalAccountCredentials(ExternalAccountCredentials.Builder builder)Internal constructor with minimum identifying information and custom HTTP transport. See ExternalAccountCredentials.Builder.
| Parameter | |
|---|---|
| Name | Description | 
| builder | ExternalAccountCredentials.Builderthe  | 
Fields
impersonatedCredentials
protected ImpersonatedCredentials impersonatedCredentials| Field Value | |
|---|---|
| Type | Description | 
| ImpersonatedCredentials | |
transportFactory
protected transient HttpTransportFactory transportFactory| Field Value | |
|---|---|
| Type | Description | 
| HttpTransportFactory | |
Methods
exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest stsTokenExchangeRequest)
protected AccessToken exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest stsTokenExchangeRequest)Exchanges the external credential for a Google Cloud access token.
| Parameter | |
|---|---|
| Name | Description | 
| stsTokenExchangeRequest | com.google.auth.oauth2.StsTokenExchangeRequestthe Security Token Service token exchange request | 
| Returns | |
|---|---|
| Type | Description | 
| AccessToken | the access token returned by the Security Token Service | 
| Exceptions | |
|---|---|
| Type | Description | 
| IOException | if the call to the Security Token Service fails | 
getAudience()
public String getAudience()| Returns | |
|---|---|
| Type | Description | 
| String | |
getClientId()
public String getClientId()| Returns | |
|---|---|
| Type | Description | 
| String | |
getClientSecret()
public String getClientSecret()| Returns | |
|---|---|
| Type | Description | 
| String | |
getCredentialSource()
public ExternalAccountCredentials.CredentialSource getCredentialSource()| Returns | |
|---|---|
| Type | Description | 
| com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource | |
getRequestMetadata(URI uri)
public Map<String,List<String>> getRequestMetadata(URI uri)Provide the request metadata by ensuring there is a current access token and providing it as an authorization bearer token.
| Parameter | |
|---|---|
| Name | Description | 
| uri | URI | 
| Returns | |
|---|---|
| Type | Description | 
| Map<String,List<String>> | |
| Exceptions | |
|---|---|
| Type | Description | 
| IOException | |
getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)
public void getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)Get the current request metadata without blocking.
This should be called by the transport layer on each request, and the data should be populated in headers or other context. The implementation can either call the callback inline or asynchronously. Either way it should never block in this method. The executor is provided for tasks that may block.
The default implementation will just call #getRequestMetadata(URI) then the callback from the given executor.
The convention for handling binary data is for the key in the returned map to end with
 "-bin" and for the corresponding values to be base64 encoded.
| Parameters | |
|---|---|
| Name | Description | 
| uri | URI | 
| executor | Executor | 
| callback | RequestMetadataCallback | 
getScopes()
public Collection<String> getScopes()| Returns | |
|---|---|
| Type | Description | 
| Collection<String> | |
getServiceAccountEmail()
public String getServiceAccountEmail()| Returns | |
|---|---|
| Type | Description | 
| String | The service account email to be impersonated, if available | 
getServiceAccountImpersonationOptions()
public ExternalAccountCredentials.ServiceAccountImpersonationOptions getServiceAccountImpersonationOptions()| Returns | |
|---|---|
| Type | Description | 
| com.google.auth.oauth2.ExternalAccountCredentials.ServiceAccountImpersonationOptions | |
getServiceAccountImpersonationUrl()
public String getServiceAccountImpersonationUrl()| Returns | |
|---|---|
| Type | Description | 
| String | |
getSubjectTokenType()
public String getSubjectTokenType()| Returns | |
|---|---|
| Type | Description | 
| String | |
getTokenInfoUrl()
public String getTokenInfoUrl()| Returns | |
|---|---|
| Type | Description | 
| String | |
getTokenUrl()
public String getTokenUrl()| Returns | |
|---|---|
| Type | Description | 
| String | |
getUniverseDomain()
public String getUniverseDomain()Gets the universe domain for the credential.
| Returns | |
|---|---|
| Type | Description | 
| String | |
getWorkforcePoolUserProject()
public String getWorkforcePoolUserProject()| Returns | |
|---|---|
| Type | Description | 
| String | |
isWorkforcePoolConfiguration()
public boolean isWorkforcePoolConfiguration()| Returns | |
|---|---|
| Type | Description | 
| boolean | whether the current configuration is for Workforce Pools (which enable 3p user identities, rather than workloads) | 
retrieveSubjectToken()
public abstract String retrieveSubjectToken()Retrieves the external subject token to be exchanged for a Google Cloud access token.
Must be implemented by subclasses as the retrieval method is dependent on the credential source.
| Returns | |
|---|---|
| Type | Description | 
| String | the external subject token | 
| Exceptions | |
|---|---|
| Type | Description | 
| IOException | if the subject token cannot be retrieved |