com.google.auth.oauth2

Class ComputeEngineCredentials

java.lang.Object

com.google.auth.Credentials

com.google.auth.oauth2.OAuth2Credentials

com.google.auth.oauth2.GoogleCredentials

com.google.auth.oauth2.ComputeEngineCredentials

All Implemented Interfaces:

IdTokenProvider, ServiceAccountSigner, Serializable

public class ComputeEngineCredentials
extends GoogleCredentials
implements ServiceAccountSigner, IdTokenProvider

OAuth2 credentials representing the built-in service account for a Google Compute Engine VM.

Fetches access tokens from the Google Compute Engine metadata server.

These credentials use the IAM API to sign data. See sign(byte[]) for more details.

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	ComputeEngineCredentials.Builder

Nested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials

OAuth2Credentials.CredentialsChangedListener

Nested classes/interfaces inherited from interface com.google.auth.ServiceAccountSigner

ServiceAccountSigner.SigningException

Nested classes/interfaces inherited from interface com.google.auth.oauth2.IdTokenProvider

IdTokenProvider.Option

Method Summary

Modifier and Type	Method and Description
static ComputeEngineCredentials	create() Create a new ComputeEngineCredentials instance with default behavior.
GoogleCredentials	createScoped(Collection<String> newScopes) Clones the compute engine account with the specified scopes.
boolean	equals(Object obj)
String	getAccount() Returns the email address associated with the GCE default service account.
static String	getIdentityDocumentUrl()
static String	getMetadataServerUrl()
static String	getMetadataServerUrl(com.google.auth.oauth2.DefaultCredentialsProvider provider)
Collection<String>	getScopes()
static String	getServiceAccountsUrl()
static String	getTokenServerEncodedUrl()
static String	getTokenServerEncodedUrl(com.google.auth.oauth2.DefaultCredentialsProvider provider)
int	hashCode()
IdToken	idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options) Returns a Google ID Token from the metadata server on ComputeEngine
static ComputeEngineCredentials.Builder	newBuilder()
AccessToken	refreshAccessToken() Refresh the access token by getting it from the GCE metadata server
byte[]	sign(byte[] toSign) Signs the provided bytes using the private key associated with the service account.
ComputeEngineCredentials.Builder	toBuilder()
String	toString()

Methods inherited from class com.google.auth.oauth2.GoogleCredentials

create, createDelegated, createScoped, createScopedRequired, fromStream, fromStream, getApplicationDefault, getApplicationDefault

Methods inherited from class com.google.auth.oauth2.OAuth2Credentials

addChangeListener, getAccessToken, getAdditionalHeaders, getAuthenticationType, getFromServiceLoader, getRequestMetadata, getRequestMetadata, getRequestMetadataInternal, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener

Methods inherited from class com.google.auth.Credentials

blockingGetToCallback, getRequestMetadata

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Method Detail

createScoped

public GoogleCredentials createScoped(Collection<String> newScopes)

Clones the compute engine account with the specified scopes.

Overrides:

createScoped in class GoogleCredentials

Parameters:

newScopes - Collection of scopes to request.

Returns:

GoogleCredentials with requested scopes.

create

public static ComputeEngineCredentials create()

Create a new ComputeEngineCredentials instance with default behavior.

Returns:

new ComputeEngineCredentials

getScopes

public final Collection<String> getScopes()

refreshAccessToken

public AccessToken refreshAccessToken()
                               throws IOException

Refresh the access token by getting it from the GCE metadata server

Overrides:

refreshAccessToken in class OAuth2Credentials

Returns:

never

Throws:

IOException

idTokenWithAudience

public IdToken idTokenWithAudience(String targetAudience,
                                   List<IdTokenProvider.Option> options)
                            throws IOException

Returns a Google ID Token from the metadata server on ComputeEngine

Specified by:

idTokenWithAudience in interface IdTokenProvider

Parameters:

targetAudience - the aud: field the IdToken should include

options - list of Credential specific options for the token. For example, an IDToken for a ComputeEngineCredential could have the full formatted claims returned if IdTokenProvider.Option.FORMAT_FULL) is provided as a list option. Valid option values are:
IdTokenProvider.Option.FORMAT_FULL
IdTokenProvider.Option.LICENSES_TRUE
If no options are set, the defaults are "&format=standard&licenses=false"

Returns:

IdToken object which includes the raw id_token, JsonWebSignature

Throws:

IOException - if the attempt to get an IdToken failed

getMetadataServerUrl

public static String getMetadataServerUrl(com.google.auth.oauth2.DefaultCredentialsProvider provider)

getMetadataServerUrl

public static String getMetadataServerUrl()

getTokenServerEncodedUrl

public static String getTokenServerEncodedUrl(com.google.auth.oauth2.DefaultCredentialsProvider provider)

getTokenServerEncodedUrl

public static String getTokenServerEncodedUrl()

getServiceAccountsUrl

public static String getServiceAccountsUrl()

getIdentityDocumentUrl

public static String getIdentityDocumentUrl()

hashCode

public int hashCode()

Overrides:

hashCode in class OAuth2Credentials

toString

public String toString()

Overrides:

toString in class OAuth2Credentials

equals

public boolean equals(Object obj)

Overrides:

equals in class OAuth2Credentials

toBuilder

public ComputeEngineCredentials.Builder toBuilder()

Overrides:

toBuilder in class GoogleCredentials

newBuilder

public static ComputeEngineCredentials.Builder newBuilder()

getAccount

public String getAccount()

Returns the email address associated with the GCE default service account.

Specified by:

getAccount in interface ServiceAccountSigner

Throws:

RuntimeException - if the default service account cannot be read

sign

public byte[] sign(byte[] toSign)

Signs the provided bytes using the private key associated with the service account.

The Compute Engine's project must enable the Identity and Access Management (IAM) API and the instance's service account must have the iam.serviceAccounts.signBlob permission.

Specified by:

sign in interface ServiceAccountSigner

Parameters:

toSign - bytes to sign

Returns:

signed bytes

Throws:

SigningException - if the attempt to sign the provided bytes failed

See Also:

Blob Signing