Package org.forgerock.secrets.gcpkms
Class SecretsApiBearerTokenCredentials
java.lang.Object
com.google.auth.Credentials
org.forgerock.secrets.gcpkms.SecretsApiBearerTokenCredentials
- All Implemented Interfaces:
Serializable
public class SecretsApiBearerTokenCredentials
extends com.google.auth.Credentials
Provides Google SDK credentials from the secrets API. This can be used with the
SignedJwtSecretStore
(in
the secrets-backend-jwt module) to produce service account credentials on-the-fly:
SecretsProvider secretsProvider = new SecretsProvider(clock);
// Configure a secret store to load the private key
Purpose<SigningKey> signingPurpose = purpose("gcp.request.signing", SigningKey.class);
SecretReference<SigningKey> serviceAccountSigningKey = new SecretReference<>(secretsProvider, signingPurpose, clock);
String saEmail = "..."; // From service account config
SignedJwtSecretStore jwtStore = new SignedJwtSecretStore(serviceAccountSigningKey, JwsAlgorithm.RS256, clock,
claims -> claims.iss(saEmail).sub(saEmail).aud("https://www.googleapis.com/auth/cloudkms"));
Purpose<GenericSecret> kmsAccessToken = purpose("gcp.kms.access_token", GenericSecret.class);
secretsProvider.setActiveStore(jwtStore, kmsAccessToken);
SecretReference<GenericSecret> kmsAccessTokenRef = new SecretReference<>(secretsProvider, kmsAccessToken, clock);
return new SecretsApiBearerTokenCredentials(kmsAccessTokenRef);
The advantage of using the Secrets API over the built-in GCP credentials is that the Secrets API would allow the
private key to be rotated.- See Also:
-
Field Summary
Fields inherited from class com.google.auth.Credentials
GOOGLE_DEFAULT_UNIVERSE
-
Constructor Summary
ConstructorDescriptionSecretsApiBearerTokenCredentials
(Function<URI, SecretReference<GenericSecret>> bearerTokenLookup) Initialises the credentials with the given mapping from URIs to bearer token references.SecretsApiBearerTokenCredentials
(SecretReference<GenericSecret> bearerToken) Initialises the credentials with a single bearer token to use for all URIs. -
Method Summary
Methods inherited from class com.google.auth.Credentials
blockingGetToCallback, getRequestMetadata, getRequestMetadata, getUniverseDomain
-
Constructor Details
-
SecretsApiBearerTokenCredentials
public SecretsApiBearerTokenCredentials(Function<URI, SecretReference<GenericSecret>> bearerTokenLookup) Initialises the credentials with the given mapping from URIs to bearer token references.- Parameters:
bearerTokenLookup
- the function to map URIs to bearer token references.
-
SecretsApiBearerTokenCredentials
Initialises the credentials with a single bearer token to use for all URIs.- Parameters:
bearerToken
- the bearer token reference to use for all URIs.
-
-
Method Details
-
getAuthenticationType
- Specified by:
getAuthenticationType
in classcom.google.auth.Credentials
-
getRequestMetadata
- Specified by:
getRequestMetadata
in classcom.google.auth.Credentials
-
hasRequestMetadata
public boolean hasRequestMetadata()- Specified by:
hasRequestMetadata
in classcom.google.auth.Credentials
-
hasRequestMetadataOnly
public boolean hasRequestMetadataOnly()- Specified by:
hasRequestMetadataOnly
in classcom.google.auth.Credentials
-
refresh
public void refresh()- Specified by:
refresh
in classcom.google.auth.Credentials
-