Class DownscopedCredentials (1.18.0) 

publicfinalclass DownscopedCredentialsextendsOAuth2Credentials

DownscopedCredentials enables the ability to downscope, or restrict, the Identity and Access Management (IAM) permissions that a short-lived credential can use for Cloud Storage.

To downscope permissions you must define a CredentialAccessBoundary which specifies the upper bound of permissions that the credential can access. You must also provide a source credential which will be used to acquire the downscoped credential.

See for more information.

Usage:


GoogleCredentialssourceCredentials=GoogleCredentials.getApplicationDefault()
.createScoped("https://www.googleapis.com/auth/cloud-platform");
CredentialAccessBoundary.AccessBoundaryRulerule=
CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
.setAvailableResource(
"//storage.googleapis.com/projects/_/buckets/bucket")
.addAvailablePermission("inRole:roles/storage.objectViewer")
.build();
DownscopedCredentialsdownscopedCredentials=
DownscopedCredentials.newBuilder()
.setSourceCredential(sourceCredentials)
.setCredentialAccessBoundary(
CredentialAccessBoundary.newBuilder().addRule(rule).build())
.build();
AccessTokenaccessToken=downscopedCredentials.refreshAccessToken();
OAuth2Credentialscredentials=OAuth2Credentials.create(accessToken);
Storagestorage=
StorageOptions.newBuilder().setCredentials(credentials).build().getService();
Blobblob=storage.get(BlobId.of("bucket","object"));
System.out.printf("Blob %s retrieved.",blob.getBlobId());

Note that OAuth2CredentialsWithRefresh can instead be used to consume the downscoped token, allowing for automatic token refreshes by providing a OAuth2CredentialsWithRefresh.OAuth2RefreshHandler.

Inheritance

java.lang.Object > Credentials > OAuth2Credentials > DownscopedCredentials

Inherited Members

Static Methods

newBuilder()

publicstaticDownscopedCredentials.BuildernewBuilder()
Returns
Type Description
DownscopedCredentials.Builder

Methods

getCredentialAccessBoundary()

publicCredentialAccessBoundarygetCredentialAccessBoundary()
Returns
Type Description
CredentialAccessBoundary

getSourceCredentials()

publicGoogleCredentialsgetSourceCredentials()
Returns
Type Description
GoogleCredentials

refreshAccessToken()

publicAccessTokenrefreshAccessToken()

Method to refresh the access token according to the specific type of credentials.

Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.

Returns
Type Description
AccessToken
Overrides
Exceptions
Type Description
IOException

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025年10月30日 UTC.