Package com.google.cloud.iam.credentials.v1

Class IamCredentialsClient

  • All Implemented Interfaces:
    com.google.api.gax.core.BackgroundResource, AutoCloseable
    @Generated("by gapic-generator-java")
public class IamCredentialsClient
extends Object
implements com.google.api.gax.core.BackgroundResource
    Service Description: A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.

    Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.

    This class provides the ability to make remote calls to the backing service through method calls that map to API methods. Sample code to get started: 

    
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   List<String> scope = new ArrayList<>();
   Duration lifetime = Duration.newBuilder().build();
   GenerateAccessTokenResponse response =
       iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
 }

    Note: close() needs to be called on the IamCredentialsClient object to clean up resources such as threads. In the example above, try-with-resources is used, which automatically calls close().

    The surface of this class includes several types of Java methods for each of the API's methods:

    1. A "flattened" method. With this type of method, the fields of the request type have been converted into function parameters. It may be the case that not all fields are available as parameters, and not every API method will have a flattened method entry point.
    2. A "request object" method. This type of method only takes one parameter, a request object, which must be constructed before the call. Not every API method will have a request object method.
    3. A "callable" method. This type of method takes no parameters and returns an immutable API callable object, which can be used to initiate calls to the service.

    See the individual methods for example code.

    Many parameters require resource names to be formatted in a particular way. To assist with these names, this class includes a format method for each type of name, and additionally a parse method to extract the individual identifiers contained within names that are returned.

    This class can be customized by passing in a custom instance of IamCredentialsSettings to create(). For example:

    To customize credentials: 

    
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 IamCredentialsSettings iamCredentialsSettings =
     IamCredentialsSettings.newBuilder()
         .setCredentialsProvider(FixedCredentialsProvider.create(myCredentials))
         .build();
 IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create(iamCredentialsSettings);

    To customize the endpoint: 

    
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 IamCredentialsSettings iamCredentialsSettings =
     IamCredentialsSettings.newBuilder().setEndpoint(myEndpoint).build();
 IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create(iamCredentialsSettings);

    To use REST (HTTP1.1/JSON) transport (instead of gRPC) for sending and receiving requests over the wire: 

    
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 IamCredentialsSettings iamCredentialsSettings =
     IamCredentialsSettings.newHttpJsonBuilder().build();
 IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create(iamCredentialsSettings);

    Please refer to the GitHub repository's samples for more quickstart code snippets.

    • Constructor Detail

      • IamCredentialsClient

        protected IamCredentialsClient​(IamCredentialsSettings settings)
                        throws IOException
        Constructs an instance of IamCredentialsClient, using the given settings. This is protected so that it is easy to make a subclass, but otherwise, the static factory methods should be preferred.
        Throws:
        IOException

    • Method Detail

      • create

        public static final IamCredentialsClient create​(IamCredentialsStub stub)
        Constructs an instance of IamCredentialsClient, using the given stub for making calls. This is for advanced usage - prefer using create(IamCredentialsSettings).

      • generateAccessToken

        public final GenerateAccessTokenResponse generateAccessToken​(ServiceAccountName name,
                                                             List<String> delegates,
                                                             List<String> scope,
                                                             com.google.protobuf.Duration lifetime)
        Generates an OAuth 2.0 access token for a service account.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   List<String> scope = new ArrayList<>();
   Duration lifetime = Duration.newBuilder().build();
   GenerateAccessTokenResponse response =
       iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
 }
        Parameters:
        name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.
        delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

        The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

        scope - Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.
        lifetime - The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.
        Throws:
        com.google.api.gax.rpc.ApiException - if the remote call fails

      • generateAccessToken

        public final GenerateAccessTokenResponse generateAccessToken​(String name,
                                                             List<String> delegates,
                                                             List<String> scope,
                                                             com.google.protobuf.Duration lifetime)
        Generates an OAuth 2.0 access token for a service account.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   List<String> delegates = new ArrayList<>();
   List<String> scope = new ArrayList<>();
   Duration lifetime = Duration.newBuilder().build();
   GenerateAccessTokenResponse response =
       iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
 }
        Parameters:
        name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.
        delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

        The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

        scope - Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.
        lifetime - The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.
        Throws:
        com.google.api.gax.rpc.ApiException - if the remote call fails

      • generateAccessToken

        public final GenerateAccessTokenResponse generateAccessToken​(GenerateAccessTokenRequest request)
        Generates an OAuth 2.0 access token for a service account.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   GenerateAccessTokenRequest request =
       GenerateAccessTokenRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .addAllScope(new ArrayList<String>())
           .setLifetime(Duration.newBuilder().build())
           .build();
   GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(request);
 }
        Parameters:
        request - The request object containing all of the parameters for the API call.
        Throws:
        com.google.api.gax.rpc.ApiException - if the remote call fails

      • generateAccessTokenCallable

        public final com.google.api.gax.rpc.UnaryCallable<GenerateAccessTokenRequest,​GenerateAccessTokenResponse> generateAccessTokenCallable()
        Generates an OAuth 2.0 access token for a service account.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   GenerateAccessTokenRequest request =
       GenerateAccessTokenRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .addAllScope(new ArrayList<String>())
           .setLifetime(Duration.newBuilder().build())
           .build();
   ApiFuture<GenerateAccessTokenResponse> future =
       iamCredentialsClient.generateAccessTokenCallable().futureCall(request);
   // Do something.
   GenerateAccessTokenResponse response = future.get();
 }

      • generateIdToken

        public final GenerateIdTokenResponse generateIdToken​(ServiceAccountName name,
                                                     List<String> delegates,
                                                     String audience,
                                                     boolean includeEmail)
        Generates an OpenID Connect ID token for a service account.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   String audience = "audience975628804";
   boolean includeEmail = true;
   GenerateIdTokenResponse response =
       iamCredentialsClient.generateIdToken(name, delegates, audience, includeEmail);
 }
        Parameters:
        name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.
        delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

        The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

        audience - Required. The audience for the token, such as the API or account that this token grants access to.
        includeEmail - Include the service account email in the token. If set to `true`, the token will contain `email` and `email_verified` claims.
        Throws:
        com.google.api.gax.rpc.ApiException - if the remote call fails

      • generateIdToken

        public final GenerateIdTokenResponse generateIdToken​(String name,
                                                     List<String> delegates,
                                                     String audience,
                                                     boolean includeEmail)
        Generates an OpenID Connect ID token for a service account.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   List<String> delegates = new ArrayList<>();
   String audience = "audience975628804";
   boolean includeEmail = true;
   GenerateIdTokenResponse response =
       iamCredentialsClient.generateIdToken(name, delegates, audience, includeEmail);
 }
        Parameters:
        name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.
        delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

        The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

        audience - Required. The audience for the token, such as the API or account that this token grants access to.
        includeEmail - Include the service account email in the token. If set to `true`, the token will contain `email` and `email_verified` claims.
        Throws:
        com.google.api.gax.rpc.ApiException - if the remote call fails

      • generateIdToken

        public final GenerateIdTokenResponse generateIdToken​(GenerateIdTokenRequest request)
        Generates an OpenID Connect ID token for a service account.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   GenerateIdTokenRequest request =
       GenerateIdTokenRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setAudience("audience975628804")
           .setIncludeEmail(true)
           .build();
   GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(request);
 }
        Parameters:
        request - The request object containing all of the parameters for the API call.
        Throws:
        com.google.api.gax.rpc.ApiException - if the remote call fails

      • generateIdTokenCallable

        public final com.google.api.gax.rpc.UnaryCallable<GenerateIdTokenRequest,​GenerateIdTokenResponse> generateIdTokenCallable()
        Generates an OpenID Connect ID token for a service account.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   GenerateIdTokenRequest request =
       GenerateIdTokenRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setAudience("audience975628804")
           .setIncludeEmail(true)
           .build();
   ApiFuture<GenerateIdTokenResponse> future =
       iamCredentialsClient.generateIdTokenCallable().futureCall(request);
   // Do something.
   GenerateIdTokenResponse response = future.get();
 }

      • signBlob

        public final SignBlobResponse signBlob​(ServiceAccountName name,
                                       List<String> delegates,
                                       com.google.protobuf.ByteString payload)
        Signs a blob using a service account's system-managed private key.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   ByteString payload = ByteString.EMPTY;
   SignBlobResponse response = iamCredentialsClient.signBlob(name, delegates, payload);
 }
        Parameters:
        name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.
        delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

        The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

        payload - Required. The bytes to sign.
        Throws:
        com.google.api.gax.rpc.ApiException - if the remote call fails

      • signBlob

        public final SignBlobResponse signBlob​(String name,
                                       List<String> delegates,
                                       com.google.protobuf.ByteString payload)
        Signs a blob using a service account's system-managed private key.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   List<String> delegates = new ArrayList<>();
   ByteString payload = ByteString.EMPTY;
   SignBlobResponse response = iamCredentialsClient.signBlob(name, delegates, payload);
 }
        Parameters:
        name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.
        delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

        The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

        payload - Required. The bytes to sign.
        Throws:
        com.google.api.gax.rpc.ApiException - if the remote call fails

      • signBlob

        public final SignBlobResponse signBlob​(SignBlobRequest request)
        Signs a blob using a service account's system-managed private key.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   SignBlobRequest request =
       SignBlobRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setPayload(ByteString.EMPTY)
           .build();
   SignBlobResponse response = iamCredentialsClient.signBlob(request);
 }
        Parameters:
        request - The request object containing all of the parameters for the API call.
        Throws:
        com.google.api.gax.rpc.ApiException - if the remote call fails

      • signBlobCallable

        public final com.google.api.gax.rpc.UnaryCallable<SignBlobRequest,​SignBlobResponse> signBlobCallable()
        Signs a blob using a service account's system-managed private key.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   SignBlobRequest request =
       SignBlobRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setPayload(ByteString.EMPTY)
           .build();
   ApiFuture<SignBlobResponse> future =
       iamCredentialsClient.signBlobCallable().futureCall(request);
   // Do something.
   SignBlobResponse response = future.get();
 }

      • signJwt

        public final SignJwtResponse signJwt​(ServiceAccountName name,
                                     List<String> delegates,
                                     String payload)
        Signs a JWT using a service account's system-managed private key.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> delegates = new ArrayList<>();
   String payload = "payload-786701938";
   SignJwtResponse response = iamCredentialsClient.signJwt(name, delegates, payload);
 }
        Parameters:
        name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.
        delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

        The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

        payload - Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
        Throws:
        com.google.api.gax.rpc.ApiException - if the remote call fails

      • signJwt

        public final SignJwtResponse signJwt​(String name,
                                     List<String> delegates,
                                     String payload)
        Signs a JWT using a service account's system-managed private key.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   List<String> delegates = new ArrayList<>();
   String payload = "payload-786701938";
   SignJwtResponse response = iamCredentialsClient.signJwt(name, delegates, payload);
 }
        Parameters:
        name - Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.
        delegates - The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request.

        The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

        payload - Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
        Throws:
        com.google.api.gax.rpc.ApiException - if the remote call fails

      • signJwt

        public final SignJwtResponse signJwt​(SignJwtRequest request)
        Signs a JWT using a service account's system-managed private key.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   SignJwtRequest request =
       SignJwtRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setPayload("payload-786701938")
           .build();
   SignJwtResponse response = iamCredentialsClient.signJwt(request);
 }
        Parameters:
        request - The request object containing all of the parameters for the API call.
        Throws:
        com.google.api.gax.rpc.ApiException - if the remote call fails

      • signJwtCallable

        public final com.google.api.gax.rpc.UnaryCallable<SignJwtRequest,​SignJwtResponse> signJwtCallable()
        Signs a JWT using a service account's system-managed private key.

        Sample code: 

        
 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
   SignJwtRequest request =
       SignJwtRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllDelegates(new ArrayList<String>())
           .setPayload("payload-786701938")
           .build();
   ApiFuture<SignJwtResponse> future =
       iamCredentialsClient.signJwtCallable().futureCall(request);
   // Do something.
   SignJwtResponse response = future.get();
 }

      • shutdown

        public void shutdown()
        Specified by:
        shutdown in interface com.google.api.gax.core.BackgroundResource

      • isShutdown

        public boolean isShutdown()
        Specified by:
        isShutdown in interface com.google.api.gax.core.BackgroundResource

      • isTerminated

        public boolean isTerminated()
        Specified by:
        isTerminated in interface com.google.api.gax.core.BackgroundResource

      • shutdownNow

        public void shutdownNow()
        Specified by:
        shutdownNow in interface com.google.api.gax.core.BackgroundResource