com.google.auth.oauth2.ImpersonatedCredentials Java Examples
The following examples show how to use
com.google.auth.oauth2.ImpersonatedCredentials.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: GoogleIdTokenAuthTest.java From styx with Apache License 2.0 | 6 votes |
|
@Test
public void testServiceAccountWithoutTokenCreatorRoleOnSelfFails() throws GeneralSecurityException {
Assume.assumeNotNull(credentials);
final String serviceAccount = "[email protected]";
final ImpersonatedCredentials serviceAccountCredentials = ImpersonatedCredentials.newBuilder()
.setScopes(ImmutableList.of("https://www.googleapis.com/auth/cloud-platform"))
.setSourceCredentials(credentials)
.setTargetPrincipal(serviceAccount)
.setLifetime(300)
.setDelegates(ImmutableList.of())
.build();
final GoogleIdTokenAuth idTokenAuth = GoogleIdTokenAuth.of(serviceAccountCredentials);
try {
idTokenAuth.getToken("http://styx.foo.bar");
fail();
} catch (IOException e) {
assertThat(e.getMessage(), is("Unable to sign request for id token, "
+ "missing Service Account Token Creator role for self on "
+ serviceAccount + " or IAM api not enabled?"));
}
}
Example #2
| Source File: ManagedServiceAccountKeyCredentialTest.java From styx with Apache License 2.0 | 6 votes |
|
@Before
public void setUp() throws Exception {
var defaultCredentials = GoogleCredentials.getApplicationDefault();
var serviceCredentials = ImpersonatedCredentials.create(
defaultCredentials, SERVICE_ACCOUNT,
List.of(), List.of("https://www.googleapis.com/auth/cloud-platform"), 300);
try {
serviceCredentials.refreshAccessToken();
} catch (IOException e) {
// Do not run this test if we do not have permission to impersonate the test user.
Assume.assumeNoException(e);
}
iam = new Iam.Builder(
Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(),
new HttpCredentialsAdapter(serviceCredentials.createScoped(IamScopes.all())))
.setApplicationName("styx-test")
.build();
}
Example #3
| Source File: ServiceAccountProvider.java From gcp-token-broker with Apache License 2.0 | 5 votes |
|
@Override
public AccessToken getAccessToken(String googleIdentity, List<String> scopes) {
if (! googleIdentity.endsWith(".iam.gserviceaccount.com")) {
throw new IllegalArgumentException("Google identity `" + googleIdentity + "` is not a service account");
}
try {
GoogleCredentials credentials = GoogleCredentials.getApplicationDefault();
ImpersonatedCredentials impersonatedCredentials = ImpersonatedCredentials.create(credentials, googleIdentity, null, scopes, 3600);
com.google.auth.oauth2.AccessToken token = impersonatedCredentials.refreshAccessToken();
return new AccessToken(token.getTokenValue(), token.getExpirationTime().getTime());
} catch (IOException e) {
throw Status.PERMISSION_DENIED.asRuntimeException();
}
}
Example #4
| Source File: GoogleIdTokenAuth.java From styx with Apache License 2.0 | 5 votes |
|
private String getToken(String targetAudience, GoogleCredentials credentials)
throws IOException, GeneralSecurityException {
if (credentials instanceof ServiceAccountCredentials) {
return getServiceAccountToken((ServiceAccountCredentials) credentials, targetAudience);
} else if (credentials instanceof UserCredentials) {
return getUserToken((UserCredentials) credentials);
} else if (credentials instanceof ComputeEngineCredentials) {
return getDefaultGCEIdToken(targetAudience);
} else if (credentials instanceof ImpersonatedCredentials) {
return getImpersonatedIdToken((ImpersonatedCredentials) credentials, targetAudience);
} else {
// Assume a type of service account credential
return getServiceAccountIdTokenUsingAccessToken(credentials, targetAudience);
}
}
Example #5
| Source File: GoogleIdTokenAuthTest.java From styx with Apache License 2.0 | 5 votes |
|
@Test
public void testImpersonatedCredentials() throws IOException, GeneralSecurityException {
Assume.assumeNotNull(credentials);
final ImpersonatedCredentials impersonatedCredentials = ImpersonatedCredentials.newBuilder()
.setScopes(ImmutableList.of("https://www.googleapis.com/auth/cloud-platform"))
.setSourceCredentials(credentials)
.setTargetPrincipal("[email protected]")
.setLifetime(300)
.setDelegates(ImmutableList.of())
.build();
assertThat(canAcquireIdToken(impersonatedCredentials), is(true));
}
Example #6
| Source File: ServiceAccounts.java From styx with Apache License 2.0 | 5 votes |
|
static String serviceAccountEmail(GoogleCredentials credentials) {
if (credentials instanceof ImpersonatedCredentials) {
return ((ImpersonatedCredentials) credentials).toBuilder().getTargetPrincipal();
} else if (credentials instanceof ServiceAccountSigner) {
return ((ServiceAccountSigner) credentials).getAccount();
} else {
throw new IllegalArgumentException("Credential is not a service account");
}
}
Example #7
| Source File: GoogleIdTokenAuth.java From styx with Apache License 2.0 | 4 votes |
|
private String getImpersonatedIdToken(ImpersonatedCredentials credentials, String targetAudience) throws IOException {
final String serviceAccount = credentials.toBuilder().getTargetPrincipal();
return getServiceAccountIdTokenUsingAccessToken(credentials, serviceAccount, targetAudience);
}
Example #8
| Source File: ServiceAccountsTest.java From styx with Apache License 2.0 | 4 votes |
|
@Test
public void serviceAccountEmailImpersonatedCredentials() {
var credentials = ImpersonatedCredentials.create(
sourceCredentials, SERVICE_ACCOUNT, List.of(), List.of(), 300);
assertThat(ServiceAccounts.serviceAccountEmail(credentials), is(SERVICE_ACCOUNT));
}
