Create a downscoped short-lived credential

importcom.google.auth.credentialaccessboundary.ClientSideCredentialAccessBoundaryFactory ;
importcom.google.auth.oauth2.AccessToken ;
importcom.google.auth.oauth2.CredentialAccessBoundary ;
importcom.google.auth.oauth2.GoogleCredentials ;
importdev.cel.common.CelValidationException;
importjava.io.IOException;
importjava.security.GeneralSecurityException;
publicstaticAccessToken getTokenFromBroker(StringbucketName,StringobjectPrefix)
throwsIOException{
// Retrieve the source credentials from ADC.
GoogleCredentials sourceCredentials=
GoogleCredentials .getApplicationDefault ()
.createScoped("https://www.googleapis.com/auth/cloud-platform");
// Initialize the Credential Access Boundary rules.
StringavailableResource="//storage.googleapis.com/projects/_/buckets/"+bucketName;
// Downscoped credentials will have readonly access to the resource.
StringavailablePermission="inRole:roles/storage.objectViewer";
// Only objects starting with the specified prefix string in the object name will be allowed
// read access.
Stringexpression=
"resource.name.startsWith('projects/_/buckets/"
+bucketName
+"/objects/"
+objectPrefix
+"')";
// Build the AvailabilityCondition.
CredentialAccessBoundary .AccessBoundaryRule .AvailabilityCondition availabilityCondition=
CredentialAccessBoundary .AccessBoundaryRule.AvailabilityCondition.newBuilder()
.setExpression (expression)
.build();
// Define the single access boundary rule using the above properties.
CredentialAccessBoundary .AccessBoundaryRule rule=
CredentialAccessBoundary .AccessBoundaryRule.newBuilder()
.setAvailableResource(availableResource)
.addAvailablePermission (availablePermission)
.setAvailabilityCondition (availabilityCondition)
.build();
// Define the Credential Access Boundary with all the relevant rules.
CredentialAccessBoundary credentialAccessBoundary=
CredentialAccessBoundary .newBuilder().addRule (rule).build();
// Create an instance of ClientSideCredentialAccessBoundaryFactory.
ClientSideCredentialAccessBoundaryFactory factory=
ClientSideCredentialAccessBoundaryFactory .newBuilder()
.setSourceCredential(sourceCredentials)
.build();
// Generate the token and pass it to the Token Consumer.
try{
returnfactory.generateToken (credentialAccessBoundary);
}catch(GeneralSecurityException|CelValidationExceptione){
thrownewIOException("Error generating downscoped token",e);
}
}

importcom.google.auth.oauth2.AccessToken ;
importcom.google.auth.oauth2.OAuth2CredentialsWithRefresh ;
importcom.google.cloud.storage.Blob ;
importcom.google.cloud.storage.Storage ;
importcom.google.cloud.storage.StorageOptions ;
importjava.io.IOException;
publicstaticStringretrieveBlobWithDownscopedToken(
finalStringbucketName,finalStringobjectName)throwsIOException{
// You can pass an `OAuth2RefreshHandler` to `OAuth2CredentialsWithRefresh` which will allow the
// library to seamlessly handle downscoped token refreshes on expiration.
OAuth2CredentialsWithRefresh .OAuth2RefreshHandler handler=
newOAuth2CredentialsWithRefresh .OAuth2RefreshHandler (){
@Override
publicAccessToken refreshAccessToken()throwsIOException{
// The common pattern of usage is to have a token broker pass the downscoped short-lived
// access tokens to a token consumer via some secure authenticated channel.
// For illustration purposes, we are generating the downscoped token locally.
// We want to test the ability to limit access to objects with a certain prefix string
// in the resource bucket. objectName.substring(0, 3) is the prefix here. This field is
// not required if access to all bucket resources are allowed. If access to limited
// resources in the bucket is needed, this mechanism can be used.
returnDownscopedAccessTokenGenerator
.getTokenFromBroker(bucketName,objectName);
}
};
AccessToken downscopedToken=handler.refreshAccessToken();
OAuth2CredentialsWithRefresh credentials=
OAuth2CredentialsWithRefresh .newBuilder()
.setAccessToken(downscopedToken)
.setRefreshHandler (handler)
.build();
StorageOptions options=StorageOptions .newBuilder().setCredentials(credentials).build();
Storage storage=options.getService ();
Blob blob=storage.get (bucketName,objectName);
if(blob==null){
returnnull;
}
returnnewString(blob.getContent ());
}

import(
"context"
"fmt"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
"golang.org/x/oauth2/google/downscope"
)
// createDownscopedToken would be run on the token broker in order to generate
// a downscoped access token that only grants access to objects whose name begins with prefix.
// The token broker would then pass the newly created token to the requesting token consumer for use.
funccreateDownscopedToken(bucketNamestring,prefixstring)error{
// bucketName := "foo"
// prefix := "profile-picture-"
ctx:=context.Background()
// A condition can optionally be provided to further restrict access permissions.
condition:=downscope.AvailabilityCondition{
Expression:"resource.name.startsWith('projects/_/buckets/"+bucketName+"/objects/"+prefix+"')",
Title:prefix+" Only",
Description:"Restricts a token to only be able to access objects that start with `"+prefix+"`",
}
// Initializes an accessBoundary with one Rule which restricts the downscoped
// token to only be able to access the bucket "bucketName" and only grants it the
// permission "storage.objectViewer".
accessBoundary:=[]downscope.AccessBoundaryRule{
{
AvailableResource:"//storage.googleapis.com/projects/_/buckets/"+bucketName,
AvailablePermissions:[]string{"inRole:roles/storage.objectViewer"},
Condition:&condition,// Optional
},
}
// This Source can be initialized in multiple ways; the following example uses
// Application Default Credentials.
varrootSourceoauth2.TokenSource
// You must provide the "https://www.googleapis.com/auth/cloud-platform" scope.
rootSource,err:=google.DefaultTokenSource(ctx,"https://www.googleapis.com/auth/cloud-platform")
iferr!=nil{
returnfmt.Errorf("failed to generate rootSource: %w",err)
}
// downscope.NewTokenSource constructs the token source with the configuration provided.
dts,err:=downscope.NewTokenSource(ctx,downscope.DownscopingConfig{RootSource:rootSource,Rules:accessBoundary})
iferr!=nil{
returnfmt.Errorf("failed to generate downscoped token source: %w",err)
}
// Token() uses the previously declared TokenSource to generate a downscoped token.
tok,err:=dts.Token()
iferr!=nil{
returnfmt.Errorf("failed to generate token: %w",err)
}
// Pass this token back to the token consumer.
_=tok
returnnil
}

import(
"context"
"fmt"
"io"
"golang.org/x/oauth2/google"
"golang.org/x/oauth2/google/downscope"
"cloud.google.com/go/storage"
"golang.org/x/oauth2"
"google.golang.org/api/option"
)
// A token consumer should define their own tokenSource. In the Token() method,
// it should send a query to a token broker requesting a downscoped token.
// The token broker holds the root credential that is used to generate the
// downscoped token.
typelocalTokenSourcestruct{
ctxcontext.Context
bucketNamestring
brokerURLstring
}
func(ltslocalTokenSource)Token()(*oauth2.Token,error){
varremoteToken*oauth2.Token
// Usually you would now retrieve remoteToken, an oauth2.Token, from token broker.
// This snippet performs the same functionality locally.
accessBoundary:=[]downscope.AccessBoundaryRule{
{
AvailableResource:"//storage.googleapis.com/projects/_/buckets/"+lts.bucketName,
AvailablePermissions:[]string{"inRole:roles/storage.objectViewer"},
},
}
rootSource,err:=google.DefaultTokenSource(lts.ctx,"https://www.googleapis.com/auth/cloud-platform")
iferr!=nil{
returnnil,fmt.Errorf("failed to generate rootSource: %w",err)
}
dts,err:=downscope.NewTokenSource(lts.ctx,downscope.DownscopingConfig{RootSource:rootSource,Rules:accessBoundary})
iferr!=nil{
returnnil,fmt.Errorf("failed to generate downscoped token source: %w",err)
}
// Token() uses the previously declared TokenSource to generate a downscoped token.
remoteToken,err=dts.Token()
iferr!=nil{
returnnil,fmt.Errorf("failed to generate token: %w",err)
}
returnremoteToken,nil
}
// getObjectContents will read the contents of an object in Google Storage
// named objectName, contained in the bucket "bucketName".
funcgetObjectContents(outputio.Writer ,bucketNamestring,objectNamestring)error{
// bucketName := "foo"
// prefix := "profile-picture-"
ctx:=context.Background()
thisTokenSource:=localTokenSource{
ctx:ctx,
bucketName:bucketName,
brokerURL:"yourURL.com/internal/broker",
}
// Wrap the TokenSource in an oauth2.ReuseTokenSource to enable automatic refreshing.
refreshableTS:=oauth2.ReuseTokenSource(nil,thisTokenSource)
// You can now use the token source to access Google Cloud Storage resources as follows.
storageClient,err:=storage.NewClient(ctx,option.WithTokenSource(refreshableTS))
iferr!=nil{
returnfmt.Errorf("failed to create the storage client: %w",err)
}
deferstorageClient.Close()
bkt:=storageClient.Bucket (bucketName)
obj:=bkt.Object (objectName)
rc,err:=obj.NewReader (ctx)
iferr!=nil{
returnfmt.Errorf("failed to retrieve the object: %w",err)
}
deferrc.Close()
data,err:=io.ReadAll(rc)
iferr!=nil{
returnfmt.Errorf("could not read the object's contents: %w",err)
}
// Data now contains the contents of the requested object.
output.Write (data)
returnnil
}

publicstaticAccessTokengetTokenFromBroker(StringbucketName,StringobjectPrefix)
throwsIOException{
// Retrieve the source credentials from ADC.
GoogleCredentialssourceCredentials=
GoogleCredentials.getApplicationDefault()
.createScoped("https://www.googleapis.com/auth/cloud-platform");
// Initialize the Credential Access Boundary rules.
StringavailableResource="//storage.googleapis.com/projects/_/buckets/"+bucketName;
// Downscoped credentials will have readonly access to the resource.
StringavailablePermission="inRole:roles/storage.objectViewer";
// Only objects starting with the specified prefix string in the object name will be allowed
// read access.
Stringexpression=
"resource.name.startsWith('projects/_/buckets/"
+bucketName
+"/objects/"
+objectPrefix
+"')";
// Build the AvailabilityCondition.
CredentialAccessBoundary.AccessBoundaryRule.AvailabilityConditionavailabilityCondition=
CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition.newBuilder()
.setExpression(expression)
.build();
// Define the single access boundary rule using the above properties.
CredentialAccessBoundary.AccessBoundaryRulerule=
CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
.setAvailableResource(availableResource)
.addAvailablePermission(availablePermission)
.setAvailabilityCondition(availabilityCondition)
.build();
// Define the Credential Access Boundary with all the relevant rules.
CredentialAccessBoundarycredentialAccessBoundary=
CredentialAccessBoundary.newBuilder().addRule(rule).build();
// Create the downscoped credentials.
DownscopedCredentialsdownscopedCredentials=
DownscopedCredentials.newBuilder()
.setSourceCredential(sourceCredentials)
.setCredentialAccessBoundary(credentialAccessBoundary)
.build();
// Retrieve the token.
// This will need to be passed to the Token Consumer.
AccessTokenaccessToken=downscopedCredentials.refreshAccessToken();
returnaccessToken;
}

publicstaticvoidtokenConsumer(finalStringbucketName,finalStringobjectName)
throwsIOException{
// You can pass an `OAuth2RefreshHandler` to `OAuth2CredentialsWithRefresh` which will allow the
// library to seamlessly handle downscoped token refreshes on expiration.
OAuth2CredentialsWithRefresh.OAuth2RefreshHandlerhandler=
newOAuth2CredentialsWithRefresh.OAuth2RefreshHandler(){
@Override
publicAccessTokenrefreshAccessToken()throwsIOException{
// The common pattern of usage is to have a token broker pass the downscoped short-lived
// access tokens to a token consumer via some secure authenticated channel.
// For illustration purposes, we are generating the downscoped token locally.
// We want to test the ability to limit access to objects with a certain prefix string
// in the resource bucket. objectName.substring(0, 3) is the prefix here. This field is
// not required if access to all bucket resources are allowed. If access to limited
// resources in the bucket is needed, this mechanism can be used.
returngetTokenFromBroker(bucketName,objectName.substring(0,3));
}
};
// Downscoped token retrieved from token broker.
AccessTokendownscopedToken=handler.refreshAccessToken();
// Create the OAuth2CredentialsWithRefresh from the downscoped token and pass a refresh handler
// which will handle token expiration.
// This will allow the consumer to seamlessly obtain new downscoped tokens on demand every time
// token expires.
OAuth2CredentialsWithRefreshcredentials=
OAuth2CredentialsWithRefresh.newBuilder()
.setAccessToken(downscopedToken)
.setRefreshHandler(handler)
.build();
// Use the credentials with the Cloud Storage SDK.
StorageOptionsoptions=StorageOptions.newBuilder().setCredentials(credentials).build();
Storagestorage=options.getService();
// Call Cloud Storage APIs.
Blobblob=storage.get(bucketName,objectName);
Stringcontent=newString(blob.getContent());
System.out.println(
"Retrieved object, "
+objectName
+", from bucket,"
+bucketName
+", with content: "
+content);
}

// Imports the Google Auth libraries.
const{GoogleAuth,DownscopedClient}=require('google-auth-library');
/**
 * Simulates token broker generating downscoped tokens for specified bucket.
 *
 * @param bucketName The name of the Cloud Storage bucket.
 * @param objectPrefix The prefix string of the object name. This is used
 * to ensure access is restricted to only objects starting with this
 * prefix string.
 */
asyncfunctiongetTokenFromBroker(bucketName,objectPrefix){
constgoogleAuth=newGoogleAuth ({
scopes:'https://www.googleapis.com/auth/cloud-platform',
});
// Define the Credential Access Boundary object.
constcab={
// Define the access boundary.
accessBoundary:{
// Define the single access boundary rule.
accessBoundaryRules:[
{
availableResource:`//storage.googleapis.com/projects/_/buckets/${bucketName}`,
// Downscoped credentials will have readonly access to the resource.
availablePermissions:['inRole:roles/storage.objectViewer'],
// Only objects starting with the specified prefix string in the object name
// will be allowed read access.
availabilityCondition:{
expression:
"resource.name.startsWith('projects/_/buckets/"+
`${bucketName}/objects/${objectPrefix}')`,
},
},
],
},
};
// Obtain an authenticated client via ADC.
constclient=awaitgoogleAuth.getClient ();
// Use the client to create a DownscopedClient.
constcabClient=newDownscopedClient (client,cab);
// Refresh the tokens.
constrefreshedAccessToken=awaitcabClient.getAccessToken();
// This will need to be passed to the token consumer.
returnrefreshedAccessToken;
}

// Imports the Google Auth and Google Cloud libraries.
const{OAuth2Client}=require('google-auth-library');
const{Storage}=require('@google-cloud/storage');
/**
 * Simulates token consumer generating calling GCS APIs using generated
 * downscoped tokens for specified bucket.
 *
 * @param bucketName The name of the Cloud Storage bucket.
 * @param objectName The name of the object in the Cloud Storage bucket
 * to read.
 */
asyncfunctiontokenConsumer(bucketName,objectName){
// Create the OAuth credentials (the consumer).
constoauth2Client=newOAuth2Client ();
// We are defining a refresh handler instead of a one-time access
// token/expiry pair.
// This will allow the consumer to obtain new downscoped tokens on
// demand every time a token is expired, without any additional code
// changes.
oauth2Client.refreshHandler =async()=>{
// The common pattern of usage is to have a token broker pass the
// downscoped short-lived access tokens to a token consumer via some
// secure authenticated channel. For illustration purposes, we are
// generating the downscoped token locally. We want to test the ability
// to limit access to objects with a certain prefix string in the
// resource bucket. objectName.substring(0, 3) is the prefix here. This
// field is not required if access to all bucket resources are allowed.
// If access to limited resources in the bucket is needed, this mechanism
// can be used.
constrefreshedAccessToken=awaitgetTokenFromBroker(
bucketName,
objectName.substring(0,3)
);
return{
access_token:refreshedAccessToken.token,
expiry_date:refreshedAccessToken.expirationTime,
};
};
conststorageOptions={
projectId:process.env.GOOGLE_CLOUD_PROJECT,
authClient:oauth2Client,
};
conststorage=newStorage(storageOptions);
constdownloadFile=awaitstorage
.bucket(bucketName)
.file(objectName)
.download ();
console.log(downloadFile.toString('utf8'));
}

importgoogle.auth
fromgoogle.authimport downscoped
fromgoogle.auth.transportimport requests
defget_token_from_broker(bucket_name, object_prefix):
"""Simulates token broker generating downscoped tokens for specified bucket.
 Args:
 bucket_name (str): The name of the Cloud Storage bucket.
 object_prefix (str): The prefix string of the object name. This is used
 to ensure access is restricted to only objects starting with this
 prefix string.
 Returns:
 Tuple[str, datetime.datetime]: The downscoped access token and its expiry date.
 """
 # Initialize the Credential Access Boundary rules.
 available_resource = f"//storage.googleapis.com/projects/_/buckets/{bucket_name}"
 # Downscoped credentials will have readonly access to the resource.
 available_permissions = ["inRole:roles/storage.objectViewer"]
 # Only objects starting with the specified prefix string in the object name
 # will be allowed read access.
 availability_expression = (
 "resource.name.startsWith('projects/_/buckets/{}/objects/{}')".format(
 bucket_name, object_prefix
 )
 )
 availability_condition = downscoped.AvailabilityCondition(availability_expression)
 # Define the single access boundary rule using the above properties.
 rule = downscoped.AccessBoundaryRule(
 available_resource=available_resource,
 available_permissions=available_permissions,
 availability_condition=availability_condition,
 )
 # Define the Credential Access Boundary with all the relevant rules.
 credential_access_boundary = downscoped.CredentialAccessBoundary(rules=[rule])
 # Retrieve the source credentials via ADC.
 source_credentials, _ = google.auth.default()
 if source_credentials.requires_scopes:
 source_credentials = source_credentials.with_scopes(
 ["https://www.googleapis.com/auth/cloud-platform"]
 )
 # Create the downscoped credentials.
 downscoped_credentials = downscoped.Credentials(
 source_credentials=source_credentials,
 credential_access_boundary=credential_access_boundary,
 )
 # Refresh the tokens.
 downscoped_credentials.refresh(requests.Request())
 # These values will need to be passed to the token consumer.
 access_token = downscoped_credentials.token
 expiry = downscoped_credentials.expiry
 return (access_token, expiry)

fromgoogle.cloudimport storage
fromgoogle.oauth2import credentials
deftoken_consumer(bucket_name, object_name):
"""Tests token consumer readonly access to the specified object.
 Args:
 bucket_name (str): The name of the Cloud Storage bucket.
 object_name (str): The name of the object in the Cloud Storage bucket
 to read.
 """
 # Create the OAuth credentials from the downscoped token and pass a
 # refresh handler to handle token expiration. We are passing a
 # refresh_handler instead of a one-time access token/expiry pair.
 # This will allow the consumer to obtain new downscoped tokens on
 # demand every time a token is expired, without any additional code
 # changes.
 defrefresh_handler(request, scopes=None):
 # The common pattern of usage is to have a token broker pass the
 # downscoped short-lived access tokens to a token consumer via some
 # secure authenticated channel.
 # For illustration purposes, we are generating the downscoped token
 # locally.
 # We want to test the ability to limit access to objects with a certain
 # prefix string in the resource bucket. object_name[0:3] is the prefix
 # here. This field is not required if access to all bucket resources are
 # allowed. If access to limited resources in the bucket is needed, this
 # mechanism can be used.
 return get_token_from_broker(bucket_name, object_prefix=object_name[0:3])
 creds = credentials.Credentials(
 None,
 scopes=["https://www.googleapis.com/auth/cloud-platform"],
 refresh_handler=refresh_handler,
 )
 # Initialize a Cloud Storage client with the oauth2 credentials.
 storage_client = storage .Client (credentials=creds)
 # The token broker has readonly access to the specified bucket object.
 bucket = storage_client.bucket (bucket_name)
 blob = bucket.blob(object_name)
 print(blob.download_as_bytes ().decode("utf-8"))