com.google.auth.oauth2.ImpersonatedCredentials Java Examples

The following examples show how to use com.google.auth.oauth2.ImpersonatedCredentials. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: GoogleIdTokenAuthTest.java    From styx with Apache License 2.0 6 votes vote down vote up
@Test
public void testServiceAccountWithoutTokenCreatorRoleOnSelfFails() throws GeneralSecurityException {
  Assume.assumeNotNull(credentials);
  final String serviceAccount = "[email protected]";
  final ImpersonatedCredentials serviceAccountCredentials = ImpersonatedCredentials.newBuilder()
      .setScopes(ImmutableList.of("https://www.googleapis.com/auth/cloud-platform"))
      .setSourceCredentials(credentials)
      .setTargetPrincipal(serviceAccount)
      .setLifetime(300)
      .setDelegates(ImmutableList.of())
      .build();
  final GoogleIdTokenAuth idTokenAuth = GoogleIdTokenAuth.of(serviceAccountCredentials);
  try {
    idTokenAuth.getToken("http://styx.foo.bar");
    fail();
  } catch (IOException e) {
    assertThat(e.getMessage(), is("Unable to sign request for id token, "
                                  + "missing Service Account Token Creator role for self on "
                                  + serviceAccount + " or IAM api not enabled?"));
  }
}
 
Example #2
Source File: ManagedServiceAccountKeyCredentialTest.java    From styx with Apache License 2.0 6 votes vote down vote up
@Before
public void setUp() throws Exception {
  var defaultCredentials = GoogleCredentials.getApplicationDefault();

  var serviceCredentials = ImpersonatedCredentials.create(
      defaultCredentials, SERVICE_ACCOUNT,
      List.of(), List.of("https://www.googleapis.com/auth/cloud-platform"), 300);

  try {
    serviceCredentials.refreshAccessToken();
  } catch (IOException e) {
    // Do not run this test if we do not have permission to impersonate the test user.
    Assume.assumeNoException(e);
  }

  iam = new Iam.Builder(
      Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(),
      new HttpCredentialsAdapter(serviceCredentials.createScoped(IamScopes.all())))
      .setApplicationName("styx-test")
      .build();
}
 
Example #3
Source File: ServiceAccountProvider.java    From gcp-token-broker with Apache License 2.0 5 votes vote down vote up
@Override
public AccessToken getAccessToken(String googleIdentity, List<String> scopes) {
    if (! googleIdentity.endsWith(".iam.gserviceaccount.com")) {
        throw new IllegalArgumentException("Google identity `" + googleIdentity + "` is not a service account");
    }
    try {
        GoogleCredentials credentials = GoogleCredentials.getApplicationDefault();
        ImpersonatedCredentials impersonatedCredentials = ImpersonatedCredentials.create(credentials, googleIdentity, null, scopes, 3600);
        com.google.auth.oauth2.AccessToken token = impersonatedCredentials.refreshAccessToken();
        return new AccessToken(token.getTokenValue(), token.getExpirationTime().getTime());
    } catch (IOException e) {
        throw Status.PERMISSION_DENIED.asRuntimeException();
    }
}
 
Example #4
Source File: GoogleIdTokenAuth.java    From styx with Apache License 2.0 5 votes vote down vote up
private String getToken(String targetAudience, GoogleCredentials credentials)
    throws IOException, GeneralSecurityException {
  if (credentials instanceof ServiceAccountCredentials) {
    return getServiceAccountToken((ServiceAccountCredentials) credentials, targetAudience);
  } else if (credentials instanceof UserCredentials) {
    return getUserToken((UserCredentials) credentials);
  } else if (credentials instanceof ComputeEngineCredentials) {
    return getDefaultGCEIdToken(targetAudience);
  } else if (credentials instanceof ImpersonatedCredentials) {
    return getImpersonatedIdToken((ImpersonatedCredentials) credentials, targetAudience);
  } else {
    // Assume a type of service account credential
    return getServiceAccountIdTokenUsingAccessToken(credentials, targetAudience);
  }
}
 
Example #5
Source File: GoogleIdTokenAuthTest.java    From styx with Apache License 2.0 5 votes vote down vote up
@Test
public void testImpersonatedCredentials() throws IOException, GeneralSecurityException {
  Assume.assumeNotNull(credentials);
  final ImpersonatedCredentials impersonatedCredentials = ImpersonatedCredentials.newBuilder()
      .setScopes(ImmutableList.of("https://www.googleapis.com/auth/cloud-platform"))
      .setSourceCredentials(credentials)
      .setTargetPrincipal("[email protected]")
      .setLifetime(300)
      .setDelegates(ImmutableList.of())
      .build();
  assertThat(canAcquireIdToken(impersonatedCredentials), is(true));
}
 
Example #6
Source File: ServiceAccounts.java    From styx with Apache License 2.0 5 votes vote down vote up
static String serviceAccountEmail(GoogleCredentials credentials) {
  if (credentials instanceof ImpersonatedCredentials) {
    return ((ImpersonatedCredentials) credentials).toBuilder().getTargetPrincipal();
  } else if (credentials instanceof ServiceAccountSigner) {
    return ((ServiceAccountSigner) credentials).getAccount();
  } else {
    throw new IllegalArgumentException("Credential is not a service account");
  }
}
 
Example #7
Source File: GoogleIdTokenAuth.java    From styx with Apache License 2.0 4 votes vote down vote up
private String getImpersonatedIdToken(ImpersonatedCredentials credentials, String targetAudience) throws IOException {
  final String serviceAccount = credentials.toBuilder().getTargetPrincipal();
  return getServiceAccountIdTokenUsingAccessToken(credentials, serviceAccount, targetAudience);
}
 
Example #8
Source File: ServiceAccountsTest.java    From styx with Apache License 2.0 4 votes vote down vote up
@Test
public void serviceAccountEmailImpersonatedCredentials() {
  var credentials = ImpersonatedCredentials.create(
      sourceCredentials, SERVICE_ACCOUNT, List.of(), List.of(), 300);
  assertThat(ServiceAccounts.serviceAccountEmail(credentials), is(SERVICE_ACCOUNT));
}