Class SecretsApiBearerTokenCredentials

  • All Implemented Interfaces:
    Serializable

    public class SecretsApiBearerTokenCredentials
    extends com.google.auth.Credentials
    Provides Google SDK credentials from the secrets API. This can be used with the SignedJwtSecretStore (in the secrets-backend-jwt module) to produce service account credentials on-the-fly:
    
     SecretsProvider secretsProvider = new SecretsProvider(clock);
     // Configure a secret store to load the private key
     Purpose<SigningKey> signingPurpose = purpose("gcp.request.signing", SigningKey.class);
     SecretReference<SigningKey> serviceAccountSigningKey = new SecretReference<>(secretsProvider, signingPurpose, clock);
     String saEmail = "..."; // From service account config
    
     SignedJwtSecretStore jwtStore = new SignedJwtSecretStore(serviceAccountSigningKey, JwsAlgorithm.RS256, clock,
         claims -> claims.iss(saEmail).sub(saEmail).aud("https://www.googleapis.com/auth/cloudkms"));
    
     Purpose<GenericSecret> kmsAccessToken = purpose("gcp.kms.access_token", GenericSecret.class);
     secretsProvider.setActiveStore(jwtStore, kmsAccessToken);
     SecretReference<GenericSecret> kmsAccessTokenRef = new SecretReference<>(secretsProvider, kmsAccessToken, clock);
     return new SecretsApiBearerTokenCredentials(kmsAccessTokenRef);
     
    The advantage of using the Secrets API over the built-in GCP credentials is that the Secrets API would allow the private key to be rotated.
    See Also:
    Serialized Form
    • Constructor Detail

      • SecretsApiBearerTokenCredentials

        public SecretsApiBearerTokenCredentials​(Function<URI,​SecretReference<GenericSecret>> bearerTokenLookup)
        Initialises the credentials with the given mapping from URIs to bearer token references.
        Parameters:
        bearerTokenLookup - the function to map URIs to bearer token references.
      • SecretsApiBearerTokenCredentials

        public SecretsApiBearerTokenCredentials​(SecretReference<GenericSecret> bearerToken)
        Initialises the credentials with a single bearer token to use for all URIs.
        Parameters:
        bearerToken - the bearer token reference to use for all URIs.
    • Method Detail

      • getAuthenticationType

        public String getAuthenticationType()
        Specified by:
        getAuthenticationType in class com.google.auth.Credentials
      • getRequestMetadata

        public Map<String,​List<String>> getRequestMetadata​(URI uri)
        Specified by:
        getRequestMetadata in class com.google.auth.Credentials
      • hasRequestMetadata

        public boolean hasRequestMetadata()
        Specified by:
        hasRequestMetadata in class com.google.auth.Credentials
      • hasRequestMetadataOnly

        public boolean hasRequestMetadataOnly()
        Specified by:
        hasRequestMetadataOnly in class com.google.auth.Credentials
      • refresh

        public void refresh()
        Specified by:
        refresh in class com.google.auth.Credentials