Example #1
Source File:    From styx with Apache License 2.0 6 votes vote down vote up
public void testServiceAccountWithoutTokenCreatorRoleOnSelfFails() throws GeneralSecurityException {
  final String serviceAccount = "";
  final ImpersonatedCredentials serviceAccountCredentials = ImpersonatedCredentials.newBuilder()
  final GoogleIdTokenAuth idTokenAuth = GoogleIdTokenAuth.of(serviceAccountCredentials);
  try {
  } catch (IOException e) {
    assertThat(e.getMessage(), is("Unable to sign request for id token, "
                                  + "missing Service Account Token Creator role for self on "
                                  + serviceAccount + " or IAM api not enabled?"));
Example #2
Source File:    From styx with Apache License 2.0 6 votes vote down vote up
public void setUp() throws Exception {
  var defaultCredentials = GoogleCredentials.getApplicationDefault();

  var serviceCredentials = ImpersonatedCredentials.create(
      defaultCredentials, SERVICE_ACCOUNT,
      List.of(), List.of(""), 300);

  try {
  } catch (IOException e) {
    // Do not run this test if we do not have permission to impersonate the test user.

  iam = new Iam.Builder(
      Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(),
      new HttpCredentialsAdapter(serviceCredentials.createScoped(IamScopes.all())))
Example #3
Source File:    From gcp-token-broker with Apache License 2.0 5 votes vote down vote up
public AccessToken getAccessToken(String googleIdentity, List<String> scopes) {
    if (! googleIdentity.endsWith("")) {
        throw new IllegalArgumentException("Google identity `" + googleIdentity + "` is not a service account");
    try {
        GoogleCredentials credentials = GoogleCredentials.getApplicationDefault();
        ImpersonatedCredentials impersonatedCredentials = ImpersonatedCredentials.create(credentials, googleIdentity, null, scopes, 3600); token = impersonatedCredentials.refreshAccessToken();
        return new AccessToken(token.getTokenValue(), token.getExpirationTime().getTime());
    } catch (IOException e) {
        throw Status.PERMISSION_DENIED.asRuntimeException();
Example #4
Source File:    From styx with Apache License 2.0 5 votes vote down vote up
private String getToken(String targetAudience, GoogleCredentials credentials)
    throws IOException, GeneralSecurityException {
  if (credentials instanceof ServiceAccountCredentials) {
    return getServiceAccountToken((ServiceAccountCredentials) credentials, targetAudience);
  } else if (credentials instanceof UserCredentials) {
    return getUserToken((UserCredentials) credentials);
  } else if (credentials instanceof ComputeEngineCredentials) {
    return getDefaultGCEIdToken(targetAudience);
  } else if (credentials instanceof ImpersonatedCredentials) {
    return getImpersonatedIdToken((ImpersonatedCredentials) credentials, targetAudience);
  } else {
    // Assume a type of service account credential
    return getServiceAccountIdTokenUsingAccessToken(credentials, targetAudience);
Example #5
Source File:    From styx with Apache License 2.0 5 votes vote down vote up
public void testImpersonatedCredentials() throws IOException, GeneralSecurityException {
  final ImpersonatedCredentials impersonatedCredentials = ImpersonatedCredentials.newBuilder()
  assertThat(canAcquireIdToken(impersonatedCredentials), is(true));
Example #6
Source File:    From styx with Apache License 2.0 5 votes vote down vote up
static String serviceAccountEmail(GoogleCredentials credentials) {
  if (credentials instanceof ImpersonatedCredentials) {
    return ((ImpersonatedCredentials) credentials).toBuilder().getTargetPrincipal();
  } else if (credentials instanceof ServiceAccountSigner) {
    return ((ServiceAccountSigner) credentials).getAccount();
  } else {
    throw new IllegalArgumentException("Credential is not a service account");
Example #7
Source File:    From styx with Apache License 2.0 4 votes vote down vote up
private String getImpersonatedIdToken(ImpersonatedCredentials credentials, String targetAudience) throws IOException {
  final String serviceAccount = credentials.toBuilder().getTargetPrincipal();
  return getServiceAccountIdTokenUsingAccessToken(credentials, serviceAccount, targetAudience);
Example #8
Source File:    From styx with Apache License 2.0 4 votes vote down vote up
public void serviceAccountEmailImpersonatedCredentials() {
  var credentials = ImpersonatedCredentials.create(
      sourceCredentials, SERVICE_ACCOUNT, List.of(), List.of(), 300);
  assertThat(ServiceAccounts.serviceAccountEmail(credentials), is(SERVICE_ACCOUNT));