*
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
* List<String> delegates = new ArrayList<>();
* List<String> scope = new ArrayList<>();
* Duration lifetime = Duration.newBuilder().build();
- * GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(formattedName, delegates, scope, lifetime);
+ * GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
* }
*
*
@@ -110,34 +109,6 @@ public class IamCredentialsClient implements BackgroundResource {
private final IamCredentialsSettings settings;
private final IamCredentialsStub stub;
- private static final PathTemplate SERVICE_ACCOUNT_PATH_TEMPLATE =
- PathTemplate.createWithoutUrlEncoding("projects/{project}/serviceAccounts/{service_account}");
-
- /**
- * Formats a string containing the fully-qualified path to represent a service_account resource.
- */
- public static final String formatServiceAccountName(String project, String serviceAccount) {
- return SERVICE_ACCOUNT_PATH_TEMPLATE.instantiate(
- "project", project,
- "service_account", serviceAccount);
- }
-
- /**
- * Parses the project from the given fully-qualified path which represents a service_account
- * resource.
- */
- public static final String parseProjectFromServiceAccountName(String serviceAccountName) {
- return SERVICE_ACCOUNT_PATH_TEMPLATE.parse(serviceAccountName).get("project");
- }
-
- /**
- * Parses the service_account from the given fully-qualified path which represents a
- * service_account resource.
- */
- public static final String parseServiceAccountFromServiceAccountName(String serviceAccountName) {
- return SERVICE_ACCOUNT_PATH_TEMPLATE.parse(serviceAccountName).get("service_account");
- }
-
/** Constructs an instance of IamCredentialsClient with default settings. */
public static final IamCredentialsClient create() throws IOException {
return create(IamCredentialsSettings.newBuilder().build());
@@ -194,11 +165,57 @@ public IamCredentialsStub getStub() {
*
*
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
* List<String> delegates = new ArrayList<>();
* List<String> scope = new ArrayList<>();
* Duration lifetime = Duration.newBuilder().build();
- * GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(formattedName, delegates, scope, lifetime);
+ * GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
+ * }
+ * The delegates must have the following format:
+ * `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+ * @param scope Code to identify the scopes to be included in the OAuth 2.0 access token. See
+ * https://developers.google.com/identity/protocols/googlescopes for more information. At
+ * least one value required.
+ * @param lifetime The desired lifetime duration of the access token in seconds. Must be set to a
+ * value less than or equal to 3600 (1 hour). If a value is not specified, the token's
+ * lifetime will be set to a default value of one hour.
+ * @throws com.google.api.gax.rpc.ApiException if the remote call fails
+ */
+ public final GenerateAccessTokenResponse generateAccessToken(
+ ServiceAccountName name, List Sample code:
+ *
+ * The delegates must have the following format:
+ * `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+ * @param audience The audience for the token, such as the API or account that this token grants
+ * access to.
+ * @param includeEmail Include the service account email in the token. If set to `true`, the token
+ * will contain `email` and `email_verified` claims.
+ * @throws com.google.api.gax.rpc.ApiException if the remote call fails
+ */
+ public final GenerateIdTokenResponse generateIdToken(
+ ServiceAccountName name, List Sample code:
+ *
+ * The delegates must have the following format:
+ * `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+ * @param payload The bytes to sign.
+ * @throws com.google.api.gax.rpc.ApiException if the remote call fails
+ */
+ public final SignBlobResponse signBlob(
+ ServiceAccountName name, List Sample code:
+ *
+ * Claims from the incoming token can be transferred into the output token accoding to the
+ * mapper configuration. The outgoing claim size is limited. Outgoing claims size must be less
+ * than 4kB serialized as JSON without whitespace.
+ * Example header: { "alg": "RS256", "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8" }
+ * Example payload: { "iss": "https://accounts.google.com", "iat": 1517963104, "exp":
+ * 1517966704, "aud": "https://iamcredentials.googleapis.com/", "sub":
+ * "113475438248934895348", "my_claims": { "additional_claim": "value" } }
+ * @throws com.google.api.gax.rpc.ApiException if the remote call fails
+ */
+ public final GenerateIdentityBindingAccessTokenResponse generateIdentityBindingAccessToken(
+ ServiceAccountName name, List Sample code:
+ *
+ *
*
@@ -221,7 +238,7 @@ public IamCredentialsStub getStub() {
*/
public final GenerateAccessTokenResponse generateAccessToken(
String name, List
+ * try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * List<String> delegates = new ArrayList<>();
+ * List<String> scope = new ArrayList<>();
+ * Duration lifetime = Duration.newBuilder().build();
+ * GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(name.toString(), delegates, scope, lifetime);
* }
*
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
* List<String> scope = new ArrayList<>();
* GenerateAccessTokenRequest request = GenerateAccessTokenRequest.newBuilder()
- * .setName(formattedName)
+ * .setName(name.toString())
* .addAllScope(scope)
* .build();
* GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(request);
@@ -265,10 +282,10 @@ public final GenerateAccessTokenResponse generateAccessToken(GenerateAccessToken
*
*
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
* List<String> scope = new ArrayList<>();
* GenerateAccessTokenRequest request = GenerateAccessTokenRequest.newBuilder()
- * .setName(formattedName)
+ * .setName(name.toString())
* .addAllScope(scope)
* .build();
* ApiFuture<GenerateAccessTokenResponse> future = iamCredentialsClient.generateAccessTokenCallable().futureCall(request);
@@ -290,11 +307,55 @@ public final GenerateAccessTokenResponse generateAccessToken(GenerateAccessToken
*
*
+ *
+ * @param name The resource name of the service account for which the credentials are requested,
+ * in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+ * @param delegates The sequence of service accounts in a delegation chain. Each service account
+ * must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
+ * in the chain. The last service account in the chain must be granted the
+ * `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
+ * `name` field of the request.
+ *
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * List<String> delegates = new ArrayList<>();
+ * String audience = "";
+ * boolean includeEmail = false;
+ * GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(name, delegates, audience, includeEmail);
+ * }
+ *
*
@@ -315,7 +376,7 @@ public final GenerateAccessTokenResponse generateAccessToken(GenerateAccessToken
*/
public final GenerateIdTokenResponse generateIdToken(
String name, List
+ * try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
* List<String> delegates = new ArrayList<>();
* String audience = "";
* boolean includeEmail = false;
- * GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(formattedName, delegates, audience, includeEmail);
+ * GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(name.toString(), delegates, audience, includeEmail);
* }
*
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
* String audience = "";
* GenerateIdTokenRequest request = GenerateIdTokenRequest.newBuilder()
- * .setName(formattedName)
+ * .setName(name.toString())
* .setAudience(audience)
* .build();
* GenerateIdTokenResponse response = iamCredentialsClient.generateIdToken(request);
@@ -359,10 +420,10 @@ public final GenerateIdTokenResponse generateIdToken(GenerateIdTokenRequest requ
*
*
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
* String audience = "";
* GenerateIdTokenRequest request = GenerateIdTokenRequest.newBuilder()
- * .setName(formattedName)
+ * .setName(name.toString())
* .setAudience(audience)
* .build();
* ApiFuture<GenerateIdTokenResponse> future = iamCredentialsClient.generateIdTokenCallable().futureCall(request);
@@ -384,10 +445,49 @@ public final GenerateIdTokenResponse generateIdToken(GenerateIdTokenRequest requ
*
*
+ *
+ * @param name The resource name of the service account for which the credentials are requested,
+ * in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+ * @param delegates The sequence of service accounts in a delegation chain. Each service account
+ * must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account
+ * in the chain. The last service account in the chain must be granted the
+ * `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the
+ * `name` field of the request.
+ *
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
* List<String> delegates = new ArrayList<>();
* ByteString payload = ByteString.copyFromUtf8("");
- * SignBlobResponse response = iamCredentialsClient.signBlob(formattedName, delegates, payload);
+ * SignBlobResponse response = iamCredentialsClient.signBlob(name, delegates, payload);
+ * }
+ *
*
@@ -404,7 +504,7 @@ public final GenerateIdTokenResponse generateIdToken(GenerateIdTokenRequest requ
* @throws com.google.api.gax.rpc.ApiException if the remote call fails
*/
public final SignBlobResponse signBlob(String name, List
+ * try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * List<String> delegates = new ArrayList<>();
+ * ByteString payload = ByteString.copyFromUtf8("");
+ * SignBlobResponse response = iamCredentialsClient.signBlob(name.toString(), delegates, payload);
* }
*
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
* ByteString payload = ByteString.copyFromUtf8("");
* SignBlobRequest request = SignBlobRequest.newBuilder()
- * .setName(formattedName)
+ * .setName(name.toString())
* .setPayload(payload)
* .build();
* SignBlobResponse response = iamCredentialsClient.signBlob(request);
@@ -447,10 +547,10 @@ public final SignBlobResponse signBlob(SignBlobRequest request) {
*
*
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
* ByteString payload = ByteString.copyFromUtf8("");
* SignBlobRequest request = SignBlobRequest.newBuilder()
- * .setName(formattedName)
+ * .setName(name.toString())
* .setPayload(payload)
* .build();
* ApiFuture<SignBlobResponse> future = iamCredentialsClient.signBlobCallable().futureCall(request);
@@ -471,7 +571,7 @@ public final UnaryCallable
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * String formattedName = ServiceAccountName.format("[PROJECT]", "[SERVICE_ACCOUNT]");
* List<String> delegates = new ArrayList<>();
* String payload = "";
* SignJwtResponse response = iamCredentialsClient.signJwt(formattedName, delegates, payload);
@@ -491,7 +591,7 @@ public final UnaryCallable
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * String formattedName = ServiceAccountName.format("[PROJECT]", "[SERVICE_ACCOUNT]");
* String payload = "";
* SignJwtRequest request = SignJwtRequest.newBuilder()
* .setName(formattedName)
@@ -534,7 +634,7 @@ public final SignJwtResponse signJwt(SignJwtRequest request) {
*
*
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * String formattedName = ServiceAccountName.format("[PROJECT]", "[SERVICE_ACCOUNT]");
* String payload = "";
* SignJwtRequest request = SignJwtRequest.newBuilder()
* .setName(formattedName)
@@ -558,10 +658,66 @@ public final UnaryCallable
+ *
+ * @param name The resource name of the service account for which the credentials are requested,
+ * in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+ * @param scope Code to identify the scopes to be included in the OAuth 2.0 access token. See
+ * https://developers.google.com/identity/protocols/googlescopes for more information. At
+ * least one value required.
+ * @param jwt Required. Input token. Must be in JWT format according to RFC7523
+ * (https://tools.ietf.org/html/rfc7523) and must have 'kid' field in the header. Supported
+ * signing algorithms: RS256 (RS512, ES256, ES512 coming soon). Mandatory payload fields
+ * (along the lines of RFC 7523, section 3): - iss: issuer of the token. Must provide a
+ * discovery document at $iss/.well-known/openid-configuration . The document needs to be
+ * formatted according to section 4.2 of the OpenID Connect Discovery 1.0 specification. -
+ * iat: Issue time in seconds since epoch. Must be in the past. - exp: Expiration time in
+ * seconds since epoch. Must be less than 48 hours after iat. We recommend to create tokens
+ * that last shorter than 6 hours to improve security unless business reasons mandate longer
+ * expiration times. Shorter token lifetimes are generally more secure since tokens that have
+ * been exfiltrated by attackers can be used for a shorter time. you can configure the maximum
+ * lifetime of the incoming token in the configuration of the mapper. The resulting Google
+ * token will expire within an hour or at "exp", whichever is earlier. - sub: JWT subject,
+ * identity asserted in the JWT. - aud: Configured in the mapper policy. By default the
+ * service account email.
+ *
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
* List<String> scope = new ArrayList<>();
* String jwt = "";
- * GenerateIdentityBindingAccessTokenResponse response = iamCredentialsClient.generateIdentityBindingAccessToken(formattedName, scope, jwt);
+ * GenerateIdentityBindingAccessTokenResponse response = iamCredentialsClient.generateIdentityBindingAccessToken(name, scope, jwt);
+ * }
+ *
*
@@ -596,7 +752,7 @@ public final UnaryCallable
+ * try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * List<String> scope = new ArrayList<>();
+ * String jwt = "";
+ * GenerateIdentityBindingAccessTokenResponse response = iamCredentialsClient.generateIdentityBindingAccessToken(name.toString(), scope, jwt);
* }
*
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
* List<String> scope = new ArrayList<>();
* String jwt = "";
* GenerateIdentityBindingAccessTokenRequest request = GenerateIdentityBindingAccessTokenRequest.newBuilder()
- * .setName(formattedName)
+ * .setName(name.toString())
* .addAllScope(scope)
* .setJwt(jwt)
* .build();
@@ -642,11 +798,11 @@ public final GenerateIdentityBindingAccessTokenResponse generateIdentityBindingA
*
*
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
* List<String> scope = new ArrayList<>();
* String jwt = "";
* GenerateIdentityBindingAccessTokenRequest request = GenerateIdentityBindingAccessTokenRequest.newBuilder()
- * .setName(formattedName)
+ * .setName(name.toString())
* .addAllScope(scope)
* .setJwt(jwt)
* .build();
diff --git a/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/package-info.java b/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/package-info.java
index 61f2ddfa4165..a004cb641506 100644
--- a/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/package-info.java
+++ b/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/package-info.java
@@ -35,11 +35,11 @@
*
*
diff --git a/google-cloud-clients/google-cloud-iamcredentials/src/test/java/com/google/cloud/iam/credentials/v1/IamCredentialsClientTest.java b/google-cloud-clients/google-cloud-iamcredentials/src/test/java/com/google/cloud/iam/credentials/v1/IamCredentialsClientTest.java
index c84bf6668005..f6e3d117291e 100644
--- a/google-cloud-clients/google-cloud-iamcredentials/src/test/java/com/google/cloud/iam/credentials/v1/IamCredentialsClientTest.java
+++ b/google-cloud-clients/google-cloud-iamcredentials/src/test/java/com/google/cloud/iam/credentials/v1/IamCredentialsClientTest.java
@@ -83,21 +83,20 @@ public void generateAccessTokenTest() {
GenerateAccessTokenResponse.newBuilder().setAccessToken(accessToken).build();
mockIAMCredentials.addResponse(expectedResponse);
- String formattedName =
- IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
List
* try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
- * String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+ * ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
* List<String> delegates = new ArrayList<>();
* List<String> scope = new ArrayList<>();
* Duration lifetime = Duration.newBuilder().build();
- * GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(formattedName, delegates, scope, lifetime);
+ * GenerateAccessTokenResponse response = iamCredentialsClient.generateAccessToken(name, delegates, scope, lifetime);
* }
*
*