Class DownscopedCredentials

java.lang.Object
com.google.auth.Credentials
com.google.auth.oauth2.OAuth2Credentials
com.google.auth.oauth2.DownscopedCredentials
All Implemented Interfaces:
Serializable
public final class DownscopedCredentials extends OAuth2Credentials
DownscopedCredentials enables the ability to downscope, or restrict, the Identity and Access Management (IAM) permissions that a short-lived credential can use for Cloud Storage.

To downscope permissions you must define a CredentialAccessBoundary which specifies the upper bound of permissions that the credential can access. You must also provide a source credential which will be used to acquire the downscoped credential.

See for more information.

Usage: 

GoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault()
   .createScoped("https://www.googleapis.com/auth/cloud-platform");

CredentialAccessBoundary.AccessBoundaryRule rule =
    CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
        .setAvailableResource(
            "//storage.googleapis.com/projects/_/buckets/bucket")
        .addAvailablePermission("inRole:roles/storage.objectViewer")
        .build();

DownscopedCredentials downscopedCredentials =
    DownscopedCredentials.newBuilder()
        .setSourceCredential(sourceCredentials)
        .setCredentialAccessBoundary(
            CredentialAccessBoundary.newBuilder().addRule(rule).build())
        .build();

AccessToken accessToken = downscopedCredentials.refreshAccessToken();

OAuth2Credentials credentials = OAuth2Credentials.create(accessToken);

Storage storage =
StorageOptions.newBuilder().setCredentials(credentials).build().getService();

Blob blob = storage.get(BlobId.of("bucket", "object"));
System.out.printf("Blob %s retrieved.", blob.getBlobId());
Note that OAuth2CredentialsWithRefresh can instead be used to consume the downscoped token, allowing for automatic token refreshes by providing a OAuth2CredentialsWithRefresh.OAuth2RefreshHandler.
See Also:

  • Method Details

    • refreshAccessToken

      public AccessToken refreshAccessToken() throws IOException
      Description copied from class: OAuth2Credentials
      Method to refresh the access token according to the specific type of credentials.

      Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.

      Overrides:
      refreshAccessToken in class OAuth2Credentials
      Returns:
      never
      Throws:
      IOException

    • getSourceCredentials

      public GoogleCredentials getSourceCredentials()

    • getCredentialAccessBoundary

      public CredentialAccessBoundary getCredentialAccessBoundary()

    • getUniverseDomain

      public String getUniverseDomain()
      Returns the universe domain for the credential.
      Overrides:
      getUniverseDomain in class Credentials
      Returns:
      An explicit universe domain if it was explicitly provided, otherwise the default Google universe will be returned.

    • newBuilder

      public static DownscopedCredentials.Builder newBuilder()