Package com.google.auth.oauth2

Class ComputeEngineCredentials

    • Method Detail

      • createScoped

        public GoogleCredentials createScoped​(Collection<String> newScopes,
                                      Collection<String> newDefaultScopes)
        Clones the compute engine account with the specified scopes.
        Overrides:
        createScoped in class GoogleCredentials
        Parameters:
        newScopes - Collection of scopes to request.
        newDefaultScopes - Collection of default scopes to request.
        Returns:
        GoogleCredentials with requested scopes.

      • create

        public static ComputeEngineCredentials create()
        Create a new ComputeEngineCredentials instance with default behavior.
        Returns:
        new ComputeEngineCredentials

      • idTokenWithAudience

        public IdToken idTokenWithAudience​(String targetAudience,
                                   List<IdTokenProvider.Option> options)
                            throws IOException
        Returns a Google ID Token from the metadata server on ComputeEngine
        Specified by:
        idTokenWithAudience in interface IdTokenProvider
        Parameters:
        targetAudience - the aud: field the IdToken should include
        options - list of Credential specific options for the token. For example, an IDToken for a ComputeEngineCredential could have the full formatted claims returned if IdTokenProvider.Option.FORMAT_FULL) is provided as a list option. Valid option values are:
        IdTokenProvider.Option.FORMAT_FULL
        IdTokenProvider.Option.LICENSES_TRUE
        If no options are set, the defaults are "&format=standard&licenses=false"
        Returns:
        IdToken object which includes the raw id_token, JsonWebSignature
        Throws:
        IOException - if the attempt to get an IdToken failed

      • getMetadataServerUrl

        public static String getMetadataServerUrl​(com.google.auth.oauth2.DefaultCredentialsProvider provider)

      • getMetadataServerUrl

        public static String getMetadataServerUrl()

      • getTokenServerEncodedUrl

        public static String getTokenServerEncodedUrl​(com.google.auth.oauth2.DefaultCredentialsProvider provider)

      • getTokenServerEncodedUrl

        public static String getTokenServerEncodedUrl()

      • getServiceAccountsUrl

        public static String getServiceAccountsUrl()

      • getIdentityDocumentUrl

        public static String getIdentityDocumentUrl()

      • getAccount

        public String getAccount()
        Returns the email address associated with the GCE default service account.
        Specified by:
        getAccount in interface ServiceAccountSigner
        Returns:
        The service account associated with the signer.
        Throws:
        RuntimeException - if the default service account cannot be read

      • sign

        public byte[] sign​(byte[] toSign)
        Signs the provided bytes using the private key associated with the service account.

        The Compute Engine's project must enable the Identity and Access Management (IAM) API and the instance's service account must have the iam.serviceAccounts.signBlob permission.

        Specified by:
        sign in interface ServiceAccountSigner
        Parameters:
        toSign - bytes to sign
        Returns:
        signed bytes
        Throws:
        ServiceAccountSigner.SigningException - if the attempt to sign the provided bytes failed
        See Also:
        Blob Signing