Package org.forgerock.secrets.gcpkms

Class SecretsApiBearerTokenCredentials

java.lang.Object

com.google.auth.Credentials

org.forgerock.secrets.gcpkms.SecretsApiBearerTokenCredentials

All Implemented Interfaces:

Serializable

public class SecretsApiBearerTokenCredentials
extends com.google.auth.Credentials

Provides Google SDK credentials from the secrets API. This can be used with the SignedJwtSecretStore (in the secrets-backend-jwt module) to produce service account credentials on-the-fly:

 SecretsProvider secretsProvider = new SecretsProvider(clock);
 // Configure a secret store to load the private key
 Purpose<SigningKey> signingPurpose = purpose("gcp.request.signing", SigningKey.class);
 SecretReference<SigningKey> serviceAccountSigningKey = new SecretReference<>(secretsProvider, signingPurpose, clock);
 String saEmail = "..."; // From service account config

 SignedJwtSecretStore jwtStore = new SignedJwtSecretStore(serviceAccountSigningKey, JwsAlgorithm.RS256, clock,
     claims -> claims.iss(saEmail).sub(saEmail).aud("https://www.googleapis.com/auth/cloudkms"));

 Purpose<GenericSecret> kmsAccessToken = purpose("gcp.kms.access_token", GenericSecret.class);
 secretsProvider.setActiveStore(jwtStore, kmsAccessToken);
 SecretReference<GenericSecret> kmsAccessTokenRef = new SecretReference<>(secretsProvider, kmsAccessToken, clock);
 return new SecretsApiBearerTokenCredentials(kmsAccessTokenRef);
 

The advantage of using the Secrets API over the built-in GCP credentials is that the Secrets API would allow the private key to be rotated.

See Also:

• Serialized Form

Constructor Summary

Constructors

Constructor	Description
SecretsApiBearerTokenCredentials(Function<URI,SecretReference<GenericSecret>> bearerTokenLookup)	Initialises the credentials with the given mapping from URIs to bearer token references.
SecretsApiBearerTokenCredentials(SecretReference<GenericSecret> bearerToken)	Initialises the credentials with a single bearer token to use for all URIs.

Method Summary

Modifier and Type	Method	Description
String	getAuthenticationType()
Map<String,List<String>>	getRequestMetadata(URI uri)
boolean	hasRequestMetadata()
boolean	hasRequestMetadataOnly()
void	refresh()

Methods inherited from class com.google.auth.Credentials

blockingGetToCallback, getRequestMetadata, getRequestMetadata

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

SecretsApiBearerTokenCredentials

public SecretsApiBearerTokenCredentials(Function<URI,SecretReference<GenericSecret>> bearerTokenLookup)

Initialises the credentials with the given mapping from URIs to bearer token references.

Parameters:

bearerTokenLookup - the function to map URIs to bearer token references.

SecretsApiBearerTokenCredentials

public SecretsApiBearerTokenCredentials(SecretReference<GenericSecret> bearerToken)

Initialises the credentials with a single bearer token to use for all URIs.

Parameters:

bearerToken - the bearer token reference to use for all URIs.

Method Details

getAuthenticationType

public String getAuthenticationType()

Specified by:

getAuthenticationType in class com.google.auth.Credentials

getRequestMetadata

public Map<String,List<String>> getRequestMetadata(URI uri)

Specified by:

getRequestMetadata in class com.google.auth.Credentials

hasRequestMetadata

public boolean hasRequestMetadata()

Specified by:

hasRequestMetadata in class com.google.auth.Credentials

hasRequestMetadataOnly

public boolean hasRequestMetadataOnly()

Specified by:

hasRequestMetadataOnly in class com.google.auth.Credentials

refresh

public void refresh()

Specified by:

refresh in class com.google.auth.Credentials