Class ExternalAccountCredentials (1.6.1) 

publicabstractclass ExternalAccountCredentialsextendsGoogleCredentialsimplementsQuotaProjectIdProvider

Base external account credentials class.

Handles initializing external credentials, calls to STS, and service account impersonation.

Inheritance

java.lang.Object > Credentials > OAuth2Credentials > GoogleCredentials > ExternalAccountCredentials

Inherited Members

Static Methods

fromStream(InputStream credentialsStream)

publicstaticExternalAccountCredentialsfromStream(InputStreamcredentialsStream)

Returns credentials defined by a JSON file stream.

Returns IdentityPoolCredentials or AwsCredentials.

Parameter
Name Description
credentialsStream InputStream

the stream with the credential definition

Returns
Type Description
ExternalAccountCredentials

the credential defined by the credentialsStream

Exceptions
Type Description
IOException

if the credential cannot be created from the stream

fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory)

publicstaticExternalAccountCredentialsfromStream(InputStreamcredentialsStream,HttpTransportFactorytransportFactory)

Returns credentials defined by a JSON file stream.

Returns a IdentityPoolCredentials or AwsCredentials.

Parameters
Name Description
credentialsStream InputStream

the stream with the credential definition

transportFactory HttpTransportFactory

the HTTP transport factory used to create the transport to get access tokens

Returns
Type Description
ExternalAccountCredentials

the credential defined by the credentialsStream

Exceptions
Type Description
IOException

if the credential cannot be created from the stream

Constructors

ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, String tokenInfoUrl, String serviceAccountImpersonationUrl, String quotaProjectId, String clientId, String clientSecret, Collection<String> scopes)

protectedExternalAccountCredentials(HttpTransportFactorytransportFactory,Stringaudience,StringsubjectTokenType,StringtokenUrl,ExternalAccountCredentials.CredentialSourcecredentialSource,StringtokenInfoUrl,StringserviceAccountImpersonationUrl,StringquotaProjectId,StringclientId,StringclientSecret,Collection<String>scopes)

Constructor with minimum identifying information and custom HTTP transport. Does not support workforce credentials.

Parameters
Name Description
transportFactory HttpTransportFactory

HTTP transport factory, creates the transport used to get access tokens

audience String

the STS audience which is usually the fully specified resource name of the workload/workforce pool provider

subjectTokenType String

the STS subject token type based on the OAuth 2.0 token exchange spec. Indicates the type of the security token in the credential file

tokenUrl String

the STS token exchange endpoint

credentialSource com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource

the external credential source

tokenInfoUrl String

the endpoint used to retrieve account related information. Required for gCloud session account identification.

serviceAccountImpersonationUrl String

the URL for the service account impersonation request. This is only required for workload identity pools when APIs to be accessed have not integrated with UberMint. If this is not available, the STS returned GCP access token is directly used. May be null.

quotaProjectId String

the project used for quota and billing purposes. May be null.

clientId String

client ID of the service account from the console. May be null.

clientSecret String

client secret of the service account from the console. May be null.

scopes Collection<String>

the scopes to request during the authorization grant. May be null.

ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, String tokenInfoUrl, String serviceAccountImpersonationUrl, String quotaProjectId, String clientId, String clientSecret, Collection<String> scopes, EnvironmentProvider environmentProvider)

protectedExternalAccountCredentials(HttpTransportFactorytransportFactory,Stringaudience,StringsubjectTokenType,StringtokenUrl,ExternalAccountCredentials.CredentialSourcecredentialSource,StringtokenInfoUrl,StringserviceAccountImpersonationUrl,StringquotaProjectId,StringclientId,StringclientSecret,Collection<String>scopes,EnvironmentProviderenvironmentProvider)

See ExternalAccountCredentials#ExternalAccountCredentials(HttpTransportFactory, String, String, String, CredentialSource, String, String, String, String, String, Collection)

Parameters
Name Description
transportFactory HttpTransportFactory
audience String
subjectTokenType String
tokenUrl String
credentialSource com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource
tokenInfoUrl String
serviceAccountImpersonationUrl String
quotaProjectId String
clientId String
clientSecret String
scopes Collection<String>
environmentProvider com.google.auth.oauth2.EnvironmentProvider

the environment provider. May be null. Defaults to SystemEnvironmentProvider.

ExternalAccountCredentials(ExternalAccountCredentials.Builder builder)

protectedExternalAccountCredentials(ExternalAccountCredentials.Builderbuilder)

Internal constructor with minimum identifying information and custom HTTP transport. See ExternalAccountCredentials.Builder.

Parameter
Name Description
builder ExternalAccountCredentials.Builder

Fields

impersonatedCredentials

protectedfinalImpersonatedCredentialsimpersonatedCredentials
Field Value
Type Description
ImpersonatedCredentials

transportFactory

protectedtransientHttpTransportFactorytransportFactory
Field Value
Type Description
HttpTransportFactory

Methods

exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest stsTokenExchangeRequest)

protectedAccessTokenexchangeExternalCredentialForAccessToken(StsTokenExchangeRequeststsTokenExchangeRequest)

Exchanges the external credential for a GCP access token.

Parameter
Name Description
stsTokenExchangeRequest com.google.auth.oauth2.StsTokenExchangeRequest

the STS token exchange request

Returns
Type Description
AccessToken

the access token returned by STS

Exceptions
Type Description
IOException

if the call to STS fails

getAudience()

publicStringgetAudience()
Returns
Type Description
String

getClientId()

publicStringgetClientId()
Returns
Type Description
String

getClientSecret()

publicStringgetClientSecret()
Returns
Type Description
String

getCredentialSource()

publicExternalAccountCredentials.CredentialSourcegetCredentialSource()
Returns
Type Description
com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource

getQuotaProjectId()

publicStringgetQuotaProjectId()
Returns
Type Description
String

getRequestMetadata(URI uri)

publicMap<String,List<String>>getRequestMetadata(URIuri)

Provide the request metadata by ensuring there is a current access token and providing it as an authorization bearer token.

Parameter
Name Description
uri URI
Returns
Type Description
Map<String,List<String>>
Overrides Exceptions
Type Description
IOException

getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)

publicvoidgetRequestMetadata(URIuri,Executorexecutor,RequestMetadataCallbackcallback)

Get the current request metadata without blocking.

This should be called by the transport layer on each request, and the data should be populated in headers or other context. The implementation can either call the callback inline or asynchronously. Either way it should never block in this method. The executor is provided for tasks that may block.

The default implementation will just call #getRequestMetadata(URI) then the callback from the given executor.

The convention for handling binary data is for the key in the returned map to end with "-bin" and for the corresponding values to be base64 encoded.

Parameters
Name Description
uri URI
executor Executor
callback RequestMetadataCallback
Overrides

getScopes()

publicCollection<String>getScopes()
Returns
Type Description
Collection<String>

getServiceAccountImpersonationUrl()

publicStringgetServiceAccountImpersonationUrl()
Returns
Type Description
String

getSubjectTokenType()

publicStringgetSubjectTokenType()
Returns
Type Description
String

getTokenInfoUrl()

publicStringgetTokenInfoUrl()
Returns
Type Description
String

getTokenUrl()

publicStringgetTokenUrl()
Returns
Type Description
String

getWorkforcePoolUserProject()

publicStringgetWorkforcePoolUserProject()
Returns
Type Description
String

isWorkforcePoolConfiguration()

publicbooleanisWorkforcePoolConfiguration()

Returns whether or not the current configuration is for Workforce Pools (which enable 3p user identities, rather than workloads).

Returns
Type Description
boolean

retrieveSubjectToken()

publicabstractStringretrieveSubjectToken()

Retrieves the external subject token to be exchanged for a GCP access token.

Must be implemented by subclasses as the retrieval method is dependent on the credential source.

Returns
Type Description
String

the external subject token

Exceptions
Type Description
IOException

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025年10月30日 UTC.