Search in sources :

Example 1 with DownscopedCredentials

use of com.google.auth.oauth2.DownscopedCredentials in project java-docs-samples by GoogleCloudPlatform.

the class DownscopingExample method getTokenFromBroker.

/**
 * Simulates token broker generating downscoped tokens for specified bucket.
 */
// [START auth_downscoping_token_broker]
public static AccessToken getTokenFromBroker(String bucketName, String objectPrefix) throws IOException {
    // Retrieve the source credentials from ADC.
    GoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault().createScoped("https://www.googleapis.com/auth/cloud-platform");
    // [START auth_downscoping_rules]
    // Initialize the Credential Access Boundary rules.
    String availableResource = "//storage.googleapis.com/projects/_/buckets/" + bucketName;
    // Downscoped credentials will have readonly access to the resource.
    String availablePermission = "inRole:roles/storage.objectViewer";
    // Only objects starting with the specified prefix string in the object name will be allowed
    // read access.
    String expression = "resource.name.startsWith('projects/_/buckets/" + bucketName + "/objects/" + objectPrefix + "')";
    // Build the AvailabilityCondition.
    CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition availabilityCondition = CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition.newBuilder().setExpression(expression).build();
    // Define the single access boundary rule using the above properties.
    CredentialAccessBoundary.AccessBoundaryRule rule = CredentialAccessBoundary.AccessBoundaryRule.newBuilder().setAvailableResource(availableResource).addAvailablePermission(availablePermission).setAvailabilityCondition(availabilityCondition).build();
    // Define the Credential Access Boundary with all the relevant rules.
    CredentialAccessBoundary credentialAccessBoundary = CredentialAccessBoundary.newBuilder().addRule(rule).build();
    // [END auth_downscoping_rules]
    // [START auth_downscoping_initialize_downscoped_cred]
    // Create the downscoped credentials.
    DownscopedCredentials downscopedCredentials = DownscopedCredentials.newBuilder().setSourceCredential(sourceCredentials).setCredentialAccessBoundary(credentialAccessBoundary).build();
    // Retrieve the token.
    // This will need to be passed to the Token Consumer.
    AccessToken accessToken = downscopedCredentials.refreshAccessToken();
    // [END auth_downscoping_initialize_downscoped_cred]
    return accessToken;
}
Also used : DownscopedCredentials(com.google.auth.oauth2.DownscopedCredentials) CredentialAccessBoundary(com.google.auth.oauth2.CredentialAccessBoundary) AccessToken(com.google.auth.oauth2.AccessToken) GoogleCredentials(com.google.auth.oauth2.GoogleCredentials)

Aggregations

AccessToken (com.google.auth.oauth2.AccessToken)1 CredentialAccessBoundary (com.google.auth.oauth2.CredentialAccessBoundary)1 DownscopedCredentials (com.google.auth.oauth2.DownscopedCredentials)1 GoogleCredentials (com.google.auth.oauth2.GoogleCredentials)1