com.google.auth.oauth2

Class ComputeEngineCredentials

java.lang.Object

com.google.auth.Credentials

com.google.auth.oauth2.OAuth2Credentials

com.google.auth.oauth2.GoogleCredentials

com.google.auth.oauth2.ComputeEngineCredentials

All Implemented Interfaces:

IdTokenProvider, QuotaProjectIdProvider, ServiceAccountSigner, Serializable

public class ComputeEngineCredentials
extends GoogleCredentials
implements ServiceAccountSigner, IdTokenProvider

OAuth2 credentials representing the built-in service account for a Google Compute Engine VM.

Fetches access tokens from the Google Compute Engine metadata server.

These credentials use the IAM API to sign data. See sign(byte[]) for more details.

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	ComputeEngineCredentials.BindingEnforcement Experimental Feature.
static class	ComputeEngineCredentials.Builder
static class	ComputeEngineCredentials.GoogleAuthTransport Experimental Feature.

Nested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials

OAuth2Credentials.CredentialsChangedListener

Nested classes/interfaces inherited from interface com.google.auth.ServiceAccountSigner

ServiceAccountSigner.SigningException

Nested classes/interfaces inherited from interface com.google.auth.oauth2.IdTokenProvider

IdTokenProvider.Option

Field Summary

Fields inherited from class com.google.auth.oauth2.GoogleCredentials

quotaProjectId

Fields inherited from class com.google.auth.Credentials

GOOGLE_DEFAULT_UNIVERSE

Method Summary

Modifier and Type	Method and Description
static ComputeEngineCredentials	create() Create a new ComputeEngineCredentials instance with default behavior.
GoogleCredentials	createScoped(Collection<String> newScopes) Clones the compute engine account with the specified scopes.
GoogleCredentials	createScoped(Collection<String> newScopes, Collection<String> newDefaultScopes) Clones the compute engine account with the specified scopes and default scopes.
boolean	equals(Object obj)
String	getAccount() Returns the email address associated with the GCE default service account.
static String	getIdentityDocumentUrl()
static String	getMetadataServerUrl()
static String	getMetadataServerUrl(com.google.auth.oauth2.DefaultCredentialsProvider provider)
CredentialTypeForMetrics	getMetricsCredentialType()
Collection<String>	getScopes()
static String	getServiceAccountsUrl()
static String	getTokenServerEncodedUrl()
static String	getTokenServerEncodedUrl(com.google.auth.oauth2.DefaultCredentialsProvider provider)
String	getUniverseDomain() Gets the universe domain from the GCE metadata server.
static String	getUniverseDomainUrl()
int	hashCode()
IdToken	idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options) Returns a Google ID Token from the metadata server on ComputeEngine
static ComputeEngineCredentials.Builder	newBuilder()
AccessToken	refreshAccessToken() Refresh the access token by getting it from the GCE metadata server
byte[]	sign(byte[] toSign) Signs the provided bytes using the private key associated with the service account.
ComputeEngineCredentials.Builder	toBuilder()
protected com.google.common.base.MoreObjects.ToStringHelper	toStringHelper() A helper for overriding the toString() method.

Methods inherited from class com.google.auth.oauth2.GoogleCredentials

create, create, createDelegated, createScoped, createScopedRequired, createWithCustomRetryStrategy, createWithQuotaProject, fromStream, fromStream, getAdditionalHeaders, getApplicationDefault, getApplicationDefault, getCredentialInfo, getProjectId, getQuotaProjectId, isExplicitUniverseDomain, toString

Methods inherited from class com.google.auth.oauth2.OAuth2Credentials

addChangeListener, getAccessToken, getAuthenticationType, getFromServiceLoader, getRequestMetadata, getRequestMetadata, getRequestMetadataInternal, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener

Methods inherited from class com.google.auth.Credentials

blockingGetToCallback, getRequestMetadata

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Method Detail

getMetricsCredentialType

public CredentialTypeForMetrics getMetricsCredentialType()

Overrides:

getMetricsCredentialType in class Credentials

createScoped

public GoogleCredentials createScoped(Collection<String> newScopes)

Clones the compute engine account with the specified scopes.

Overrides:

createScoped in class GoogleCredentials

Parameters:

newScopes - Collection of scopes to request.

Returns:

GoogleCredentials with requested scopes.

createScoped

public GoogleCredentials createScoped(Collection<String> newScopes,
                                      Collection<String> newDefaultScopes)

Clones the compute engine account with the specified scopes and default scopes.

Overrides:

createScoped in class GoogleCredentials

Parameters:

newScopes - Collection of scopes to request.

newDefaultScopes - Collection of default scopes to request.

Returns:

GoogleCredentials with requested scopes.

create

public static ComputeEngineCredentials create()

Create a new ComputeEngineCredentials instance with default behavior.

Returns:

new ComputeEngineCredentials

getScopes

public final Collection<String> getScopes()

getUniverseDomain

public String getUniverseDomain()
                         throws IOException

Gets the universe domain from the GCE metadata server.

Returns an explicit universe domain if it was provided during credential initialization.

Returns the Credentials.GOOGLE_DEFAULT_UNIVERSE if universe domain endpoint is not found (404) or returns an empty string.

Otherwise, returns universe domain from GCE metadata service.

Any above value is cached for the credential lifetime.

Overrides:

getUniverseDomain in class GoogleCredentials

Returns:

string representing a universe domain in the format some-domain.xyz

Throws:

IOException - if a call to GCE metadata service was unsuccessful. Check if exception implements the Retryable and isRetryable() will return true if the operation may be retried.

refreshAccessToken

public AccessToken refreshAccessToken()
                               throws IOException

Refresh the access token by getting it from the GCE metadata server

Overrides:

refreshAccessToken in class OAuth2Credentials

Returns:

never

Throws:

IOException

idTokenWithAudience

public IdToken idTokenWithAudience(String targetAudience,
                                   List<IdTokenProvider.Option> options)
                            throws IOException

Returns a Google ID Token from the metadata server on ComputeEngine

Specified by:

idTokenWithAudience in interface IdTokenProvider

Parameters:

targetAudience - the aud: field the IdToken should include

options - list of Credential specific options for the token. For example, an IDToken for a ComputeEngineCredential could have the full formatted claims returned if IdTokenProvider.Option.FORMAT_FULL) is provided as a list option. Valid option values are:
IdTokenProvider.Option.FORMAT_FULL
IdTokenProvider.Option.LICENSES_TRUE
If no options are set, the defaults are "&format=standard&licenses=false"

Returns:

IdToken object which includes the raw id_token, JsonWebSignature

Throws:

IOException - if the attempt to get an IdToken failed

getMetadataServerUrl

public static String getMetadataServerUrl(com.google.auth.oauth2.DefaultCredentialsProvider provider)

getMetadataServerUrl

public static String getMetadataServerUrl()

getTokenServerEncodedUrl

public static String getTokenServerEncodedUrl(com.google.auth.oauth2.DefaultCredentialsProvider provider)

getTokenServerEncodedUrl

public static String getTokenServerEncodedUrl()

getUniverseDomainUrl

public static String getUniverseDomainUrl()

getServiceAccountsUrl

public static String getServiceAccountsUrl()

getIdentityDocumentUrl

public static String getIdentityDocumentUrl()

hashCode

public int hashCode()

Overrides:

hashCode in class GoogleCredentials

toStringHelper

protected com.google.common.base.MoreObjects.ToStringHelper toStringHelper()

Description copied from class: GoogleCredentials

A helper for overriding the toString() method. This allows inheritance of super class fields. Extending classes can override this implementation and call super implementation and add more fields. Same cannot be done with overriding the toString() directly.

Overrides:

toStringHelper in class GoogleCredentials

Returns:

an instance of the ToStringHelper that has public fields added

equals

public boolean equals(Object obj)

Overrides:

equals in class GoogleCredentials

toBuilder

public ComputeEngineCredentials.Builder toBuilder()

Overrides:

toBuilder in class GoogleCredentials

newBuilder

public static ComputeEngineCredentials.Builder newBuilder()

getAccount

public String getAccount()

Returns the email address associated with the GCE default service account.

Specified by:

getAccount in interface ServiceAccountSigner

Throws:

RuntimeException - if the default service account cannot be read

sign

public byte[] sign(byte[] toSign)

Signs the provided bytes using the private key associated with the service account.

The Compute Engine's project must enable the Identity and Access Management (IAM) API and the instance's service account must have the iam.serviceAccounts.signBlob permission.

Specified by:

sign in interface ServiceAccountSigner

Parameters:

toSign - bytes to sign

Returns:

signed bytes

Throws:

SigningException - if the attempt to sign the provided bytes failed

See Also:

Blob Signing