use of com.google.auth.oauth2.DownscopedCredentials in project java-docs-samples by GoogleCloudPlatform.
the class DownscopingExample method getTokenFromBroker.
/**
* Simulates token broker generating downscoped tokens for specified bucket.
*/
// [START auth_downscoping_token_broker]
public static AccessToken getTokenFromBroker(String bucketName, String objectPrefix) throws IOException {
// Retrieve the source credentials from ADC.
GoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault().createScoped("https://www.googleapis.com/auth/cloud-platform");
// [START auth_downscoping_rules]
// Initialize the Credential Access Boundary rules.
String availableResource = "//storage.googleapis.com/projects/_/buckets/" + bucketName;
// Downscoped credentials will have readonly access to the resource.
String availablePermission = "inRole:roles/storage.objectViewer";
// Only objects starting with the specified prefix string in the object name will be allowed
// read access.
String expression = "resource.name.startsWith('projects/_/buckets/" + bucketName + "/objects/" + objectPrefix + "')";
// Build the AvailabilityCondition.
CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition availabilityCondition = CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition.newBuilder().setExpression(expression).build();
// Define the single access boundary rule using the above properties.
CredentialAccessBoundary.AccessBoundaryRule rule = CredentialAccessBoundary.AccessBoundaryRule.newBuilder().setAvailableResource(availableResource).addAvailablePermission(availablePermission).setAvailabilityCondition(availabilityCondition).build();
// Define the Credential Access Boundary with all the relevant rules.
CredentialAccessBoundary credentialAccessBoundary = CredentialAccessBoundary.newBuilder().addRule(rule).build();
// [END auth_downscoping_rules]
// [START auth_downscoping_initialize_downscoped_cred]
// Create the downscoped credentials.
DownscopedCredentials downscopedCredentials = DownscopedCredentials.newBuilder().setSourceCredential(sourceCredentials).setCredentialAccessBoundary(credentialAccessBoundary).build();
// Retrieve the token.
// This will need to be passed to the Token Consumer.
AccessToken accessToken = downscopedCredentials.refreshAccessToken();
// [END auth_downscoping_initialize_downscoped_cred]
return accessToken;
}
Aggregations