Included changes for Documenting Custom Credential Suppliers for AWS Workloads and Okta Workload.

vverman · vverman · commit 49d17f5aefbc · 2025-10-13T12:18:11.000-07:00
diff --git a/samples/snippets/pom.xml b/samples/snippets/pom.xml
@@ -63,6 +63,25 @@
       <artifactId>google-cloud-storage</artifactId>
     </dependency>
 
+    <!-- AWS SDK for Java V2 -->
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>auth</artifactId>
+      <version>2.20.27</version>
+    </dependency>
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>regions</artifactId>
+      <version>2.20.27</version>
+    </dependency>
+
+    <!-- Gson -->
+    <dependency>
+      <groupId>com.google.code.gson</groupId>
+      <artifactId>gson</artifactId>
+      <version>2.10.1</version>
+    </dependency>
+
 <!--    Test dependencies-->
     <dependency>
       <groupId>junit</groupId>
diff --git a/samples/snippets/src/main/java/CustomCredentialSupplierAwsWorkload.java b/samples/snippets/src/main/java/CustomCredentialSupplierAwsWorkload.java
@@ -0,0 +1,142 @@
+/*
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import com.google.auth.oauth2.AwsCredentials;
+import com.google.auth.oauth2.AwsSecurityCredentialsSupplier;
+import com.google.auth.oauth2.ExternalAccountSupplierContext;
+import com.google.auth.oauth2.GoogleCredentials;
+import com.google.cloud.storage.Bucket;
+import com.google.cloud.storage.Storage;
+import com.google.cloud.storage.StorageOptions;
+import java.io.IOException;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain;
+
+/**
+ * This sample demonstrates how to use a custom AWS security credentials supplier to authenticate
+ * with Google Cloud.
+ */
+public class CustomCredentialSupplierAwsWorkload {
+
+  public static void main(String[] args) throws IOException {
+    // TODO(Developer): Replace these variables with your actual values.
+    String gcpWorkloadAudience = System.getenv("GCP_WORKLOAD_AUDIENCE");
+    String saImpersonationUrl = System.getenv("GCP_SERVICE_ACCOUNT_IMPERSONATION_URL");
+    String gcsBucketName = System.getenv("GCS_BUCKET_NAME");
+
+    if (gcpWorkloadAudience == null
+        || saImpersonationUrl == null
+        || gcsBucketName == null) {
+      System.out.println(
+          "Missing required environment variables. Please check your environment settings. "
+              + "Required: GCP_WORKLOAD_AUDIENCE, GCP_SERVICE_ACCOUNT_IMPERSONATION_URL, GCS_BUCKET_NAME");
+      return;
+    }
+
+    customCredentialSupplierAwsWorkload(gcpWorkloadAudience, saImpersonationUrl, gcsBucketName);
+  }
+
+  public static void customCredentialSupplierAwsWorkload(
+      String gcpWorkloadAudience, String saImpersonationUrl, String gcsBucketName)
+      throws IOException {
+    // 1. Instantiate the custom supplier.
+    CustomAwsSupplier customSupplier = new CustomAwsSupplier();
+
+    // 2. Configure the AwsCredentials options.
+    GoogleCredentials credentials =
+        AwsCredentials.newBuilder()
+            .setAudience(gcpWorkloadAudience)
+            .setSubjectTokenType("urn:ietf:params:aws:token-type:aws4_request")
+            .setServiceAccountImpersonationUrl(saImpersonationUrl)
+            .setAwsSecurityCredentialsSupplier(customSupplier)
+            .build();
+
+    // 3. Use the credentials to make an authenticated request.
+    Storage storage = StorageOptions.newBuilder().setCredentials(credentials).build().getService();
+
+    System.out.println("[Test] Getting metadata for bucket: " + gcsBucketName + "...");
+    Bucket bucket = storage.get(gcsBucketName);
+    System.out.println(" --- SUCCESS! ---");
+    System.out.println("Successfully authenticated and retrieved bucket data:");
+    System.out.println(bucket.toString());
+  }
+
+  /**
+   * Custom AWS Security Credentials Supplier.
+   *
+   * <p>This implementation resolves AWS credentials using the default provider chain from the AWS
+   * SDK. This allows fetching credentials from environment variables, shared credential files
+   * (~/.aws/credentials), or IAM roles for service accounts (IRSA) in EKS, etc.
+   */
+  private static class CustomAwsSupplier implements AwsSecurityCredentialsSupplier {
+
+    private final AwsCredentialsProvider awsCredentialsProvider;
+    private String region;
+
+    public CustomAwsSupplier() {
+      // The AWS SDK handles memoization (caching) and proactive refreshing internally.
+      this.awsCredentialsProvider = DefaultCredentialsProvider.create();
+    }
+
+    /**
+     * Returns the AWS region. This is required for signing the AWS request. It resolves the region
+     * automatically by using the default AWS region provider chain, which searches for the region
+     * in the standard locations (environment variables, AWS config file, etc.).
+     */
+    @Override
+    public String getRegion(ExternalAccountSupplierContext context) {
+      if (this.region == null) {
+        Region awsRegion = new DefaultAwsRegionProviderChain().getRegion();
+        if (awsRegion != null) {
+          this.region = awsRegion.id();
+        }
+      }
+      if (this.region == null) {
+        throw new IllegalStateException(
+            "CustomAwsSupplier: Unable to resolve AWS region. Please set the AWS_REGION "
+                + "environment variable or configure it in your ~/.aws/config file.");
+      }
+      return this.region;
+    }
+
+    /** Retrieves AWS security credentials using the AWS SDK's default provider chain. */
+    @Override
+    public com.google.auth.oauth2.AwsSecurityCredentials getCredentials(
+        ExternalAccountSupplierContext context) {
+      software.amazon.awssdk.auth.credentials.AwsCredentials credentials =
+          this.awsCredentialsProvider.resolveCredentials();
+      if (credentials == null
+          || credentials.accessKeyId() == null
+          || credentials.secretAccessKey() == null) {
+        throw new IllegalStateException(
+            "Unable to resolve AWS credentials from the default provider chain. "
+                + "Ensure your AWS CLI is configured, or AWS environment variables "
+                + "(like AWS_ACCESS_KEY_ID) are set.");
+      }
+
+      String sessionToken = null;
+      if (credentials instanceof AwsSessionCredentials) {
+        sessionToken = ((AwsSessionCredentials) credentials).sessionToken();
+      }
+
+      return new com.google.auth.oauth2.AwsSecurityCredentials(
+          credentials.accessKeyId(), credentials.secretAccessKey(), sessionToken);
+    }
+  }
+}
diff --git a/samples/snippets/src/main/java/CustomCredentialSupplierOktaWorkload.java b/samples/snippets/src/main/java/CustomCredentialSupplierOktaWorkload.java
@@ -0,0 +1,197 @@
+/*
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import com.google.auth.oauth2.ExternalAccountSupplierContext;
+import com.google.auth.oauth2.GoogleCredentials;
+import com.google.auth.oauth2.IdentityPoolCredentials;
+import com.google.auth.oauth2.IdentityPoolSubjectTokenSupplier;
+import com.google.cloud.storage.Bucket;
+import com.google.cloud.storage.Storage;
+import com.google.cloud.storage.StorageOptions;
+import com.google.gson.Gson;
+import com.google.gson.JsonObject;
+import java.io.BufferedReader;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+
+/**
+ * This sample demonstrates how to use a custom subject token supplier to authenticate with Google
+ * Cloud, using Okta as the identity provider.
+ */
+public class CustomCredentialSupplierOktaWorkload {
+
+  public static void main(String[] args) throws IOException {
+    // TODO(Developer): Replace these variables with your actual values.
+    String gcpWorkloadAudience = System.getenv("GCP_WORKLOAD_AUDIENCE");
+    String serviceAccountImpersonationUrl =
+        System.getenv("GCP_SERVICE_ACCOUNT_IMPERSONATION_URL");
+    String gcsBucketName = System.getenv("GCS_BUCKET_NAME");
+    String oktaDomain = System.getenv("OKTA_DOMAIN");
+    String oktaClientId = System.getenv("OKTA_CLIENT_ID");
+    String oktaClientSecret = System.getenv("OKTA_CLIENT_SECRET");
+
+    if (gcpWorkloadAudience == null
+        || serviceAccountImpersonationUrl == null
+        || gcsBucketName == null
+        || oktaDomain == null
+        || oktaClientId == null
+        || oktaClientSecret == null) {
+      System.out.println(
+          "Missing required environment variables. Please check your environment settings. "
+              + "Required: GCP_WORKLOAD_AUDIENCE, GCP_SERVICE_ACCOUNT_IMPERSONATION_URL, "
+              + "GCS_BUCKET_NAME, OKTA_DOMAIN, OKTA_CLIENT_ID, OKTA_CLIENT_SECRET");
+      return;
+    }
+
+    customCredentialSupplierOktaWorkload(
+        gcpWorkloadAudience,
+        serviceAccountImpersonationUrl,
+        gcsBucketName,
+        oktaDomain,
+        oktaClientId,
+        oktaClientSecret);
+  }
+
+  public static void customCredentialSupplierOktaWorkload(
+      String gcpWorkloadAudience,
+      String serviceAccountImpersonationUrl,
+      String gcsBucketName,
+      String oktaDomain,
+      String oktaClientId,
+      String oktaClientSecret)
+      throws IOException {
+    // 1. Instantiate our custom supplier with Okta credentials.
+    OktaClientCredentialsSupplier oktaSupplier =
+        new OktaClientCredentialsSupplier(oktaDomain, oktaClientId, oktaClientSecret);
+
+    // 2. Instantiate an IdentityPoolCredentials with the required configuration.
+    GoogleCredentials credentials =
+        IdentityPoolCredentials.newBuilder()
+            .setAudience(gcpWorkloadAudience)
+            .setSubjectTokenType("urn:ietf:params:oauth:token-type:jwt")
+            .setTokenUrl("https://sts.googleapis.com/v1/token")
+            .setSubjectTokenSupplier(oktaSupplier)
+            .setServiceAccountImpersonationUrl(serviceAccountImpersonationUrl)
+            .build();
+
+    // 3. Use the credentials to make an authenticated request.
+    Storage storage = StorageOptions.newBuilder().setCredentials(credentials).build().getService();
+
+    System.out.println("[Test] Getting metadata for bucket: " + gcsBucketName + "...");
+    Bucket bucket = storage.get(gcsBucketName);
+    System.out.println(" --- SUCCESS! ---");
+    System.out.println("Successfully authenticated and retrieved bucket data:");
+    System.out.println(bucket.toString());
+  }
+
+  /**
+   * A custom SubjectTokenSupplier that authenticates with Okta using the Client Credentials grant
+   * flow.
+   */
+  private static class OktaClientCredentialsSupplier implements IdentityPoolSubjectTokenSupplier {
+
+    private final String oktaTokenUrl;
+    private final String clientId;
+    private final String clientSecret;
+    private String accessToken;
+    private long expiryTime;
+
+    public OktaClientCredentialsSupplier(String domain, String clientId, String clientSecret) {
+      this.oktaTokenUrl = domain + "/oauth2/default/v1/token";
+      this.clientId = clientId;
+      this.clientSecret = clientSecret;
+      System.out.println("OktaClientCredentialsSupplier initialized.");
+    }
+
+    /**
+     * Main method called by the auth library. It will fetch a new token if one is not already
+     * cached.
+     */
+    @Override
+    public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException {
+      // Check if the current token is still valid (with a 60-second buffer).
+      boolean isTokenValid = this.accessToken != null && System.currentTimeMillis() < this.expiryTime - 60 * 1000;
+
+      if (isTokenValid) {
+        System.out.println("[Supplier] Returning cached Okta Access token.");
+        return this.accessToken;
+      }
+
+      System.out.println(
+          "[Supplier] Token is missing or expired. Fetching new Okta Access token via Client "
+              + "Credentials grant...");
+      fetchOktaAccessToken();
+      return this.accessToken;
+    }
+
+    /**
+     * Performs the Client Credentials grant flow by making a POST request to Okta's token
+     * endpoint.
+     */
+    private void fetchOktaAccessToken() throws IOException {
+      URL url = new URL(this.oktaTokenUrl);
+      HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+      conn.setRequestMethod("POST");
+      conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
+
+      String auth = this.clientId + ":" + this.clientSecret;
+      String encodedAuth = Base64.getEncoder().encodeToString(auth.getBytes(StandardCharsets.UTF_8));
+      conn.setRequestProperty("Authorization", "Basic " + encodedAuth);
+
+      conn.setDoOutput(true);
+      try (DataOutputStream out = new DataOutputStream(conn.getOutputStream())) {
+        String params = "grant_type=client_credentials&scope=gcp.test.read";
+        out.writeBytes(params);
+        out.flush();
+      }
+
+      int responseCode = conn.getResponseCode();
+      if (responseCode == HttpURLConnection.HTTP_OK) {
+        try (BufferedReader in = new BufferedReader(new InputStreamReader(conn.getInputStream()))) {
+          StringBuilder response = new StringBuilder();
+          String line;
+          while ((line = in.readLine()) != null) {
+            response.append(line);
+          }
+
+          Gson gson = new Gson();
+          JsonObject jsonObject = gson.fromJson(response.toString(), JsonObject.class);
+
+          if (jsonObject.has("access_token") && jsonObject.has("expires_in")) {
+            this.accessToken = jsonObject.get("access_token").getAsString();
+            int expiresIn = jsonObject.get("expires_in").getAsInt();
+            this.expiryTime = System.currentTimeMillis() + expiresIn * 1000;
+            System.out.println(
+                "[Supplier] Successfully received Access Token from Okta. Expires in "
+                    + expiresIn
+                    + " seconds.");
+          } else {
+            throw new IOException("Access token or expires_in not found in Okta response.");
+          }
+        }
+      } else {
+        throw new IOException(
+            "Failed to authenticate with Okta using Client Credentials grant. Response code: "
+                + responseCode);
+      }
+    }
+  }
+}
