|
| 1 | +/* |
| 2 | + * Copyright 2023 Google LLC |
| 3 | + * |
| 4 | + * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | + * you may not use this file except in compliance with the License. |
| 6 | + * You may obtain a copy of the License at |
| 7 | + * |
| 8 | + * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | + * |
| 10 | + * Unless required by applicable law or agreed to in writing, software |
| 11 | + * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | + * See the License for the specific language governing permissions and |
| 14 | + * limitations under the License. |
| 15 | + */ |
| 16 | + |
| 17 | +// [START auth_cloud_accesstoken_impersonated_credentials] |
| 18 | + |
| 19 | +import com.google.auth.oauth2.GoogleCredentials; |
| 20 | +import com.google.auth.oauth2.ImpersonatedCredentials; |
| 21 | +import java.io.IOException; |
| 22 | +import java.util.Arrays; |
| 23 | +import java.util.List; |
| 24 | + |
| 25 | +public class AccessTokenFromImpersonatedCredentials { |
| 26 | + |
| 27 | + public static void main(String[] args) throws IOException { |
| 28 | + // TODO(Developer): Replace the below variables before running the code. |
| 29 | + |
| 30 | + // Provide the scopes that you might need to request access to Google APIs, |
| 31 | + // depending on the level of access you need. |
| 32 | + // This example uses the cloud-wide scope and uses IAM to narrow the permissions. |
| 33 | + // https://cloud.google.com/docs/authentication/external/authorization-gcp |
| 34 | + // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes |
| 35 | + String scope = "https://www.googleapis.com/auth/cloud-platform"; |
| 36 | + |
| 37 | + // The name of the privilege-bearing service account for whom the credential is created. |
| 38 | + String impersonatedServiceAccount = "[email protected]"; |
| 39 | + |
| 40 | + getAccessToken(impersonatedServiceAccount, scope); |
| 41 | + } |
| 42 | + |
| 43 | + // Use a service account (SA1) to impersonate as another service account (SA2) and obtain id token |
| 44 | + // for the impersonated account. |
| 45 | + // To obtain token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator" permission |
| 46 | + // on SA2. |
| 47 | + public static void getAccessToken( |
| 48 | + String impersonatedServiceAccount, String scope) throws IOException { |
| 49 | + |
| 50 | + // Construct the GoogleCredentials object which obtains the default configuration from your |
| 51 | + // working environment. |
| 52 | + GoogleCredentials googleCredentials = GoogleCredentials.getApplicationDefault(); |
| 53 | + |
| 54 | + // delegates: The chained list of delegates required to grant the final accessToken. |
| 55 | + // For more information, see: |
| 56 | + // https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-permissions |
| 57 | + // Delegate is NOT USED here. |
| 58 | + List<String> delegates = null; |
| 59 | + |
| 60 | + // Create the impersonated credential. |
| 61 | + ImpersonatedCredentials impersonatedCredentials = |
| 62 | + ImpersonatedCredentials.newBuilder() |
| 63 | + .setSourceCredentials(googleCredentials) |
| 64 | + .setTargetPrincipal(impersonatedServiceAccount) |
| 65 | + .setScopes(Arrays.asList(scope)) |
| 66 | + .setLifetime(300) |
| 67 | + .setDelegates(delegates) |
| 68 | + .build(); |
| 69 | + |
| 70 | + // Get the OAuth2 token. |
| 71 | + // Once you've obtained the OAuth2 token, you can use it to make an authenticated call. |
| 72 | + impersonatedCredentials.refresh(); |
| 73 | + String accessToken = impersonatedCredentials.getAccessToken().getTokenValue(); |
| 74 | + System.out.println("Generated access token."); |
| 75 | + } |
| 76 | +} |
| 77 | +// [END auth_cloud_accesstoken_impersonated_credentials] |
0 commit comments