开源软件名称(OpenSource Name):googleapis/google-auth-library-java开源软件地址(OpenSource Url):https://github.com/googleapis/google-auth-library-java开源编程语言(OpenSource Language):Java 96.6%开源软件介绍(OpenSource Introduction):Google Auth LibraryOpen source authentication client library for Java. This project consists of 3 artifacts:
Table of contents: QuickstartIf you are using Maven, add this to your pom.xml file (notice that you can replace
<dependency>
<groupId>com.google.auth</groupId>
<artifactId>google-auth-library-oauth2-http</artifactId>
<version>1.3.0</version>
</dependency> If you are using Gradle, add this to your dependencies implementation 'com.google.auth:google-auth-library-oauth2-http:1.3.0' If you are using SBT, add this to your dependencies libraryDependencies += "com.google.auth" % "google-auth-library-oauth2-http" % "1.3.0" google-auth-library-oauth2-httpApplication Default CredentialsThis library provides an implementation of Application Default Credentials for Java. The Application Default Credentials provide a simple way to get authorization credentials for use in calling Google APIs. They are best suited for cases when the call needs to have the same identity and authorization level for the application independent of the user. This is the recommended approach to authorize calls to Cloud APIs, particularly when you're building an application that uses Google Cloud Platform. Application Default Credentials also support workload identity federation to access Google Cloud resources from non-Google Cloud platforms including Amazon Web Services (AWS), Microsoft Azure or any identity provider that supports OpenID Connect (OIDC). Workload identity federation is recommended for non-Google Cloud environments as it avoids the need to download, manage and store service account private keys locally, see: Workload Identity Federation. Getting Application Default CredentialsTo get Application Default Credentials use
Explicit Credential LoadingTo get Credentials from a Service Account JSON key use GoogleCredentials credentials = GoogleCredentials.fromStream(new FileInputStream("/path/to/credentials.json"));
credentials.refreshIfExpired();
AccessToken token = credentials.getAccessToken();
// OR
AccessToken token = credentials.refreshAccessToken(); ImpersonatedCredentialsAllows a credentials issued to a user or service account to impersonate another. The source project using ImpersonatedCredentials must enable the "IAMCredentials" API. Also, the target service account must grant the orginating principal the "Service Account Token Creator" IAM role. String credPath = "/path/to/svc_account.json";
ServiceAccountCredentials sourceCredentials = ServiceAccountCredentials
.fromStream(new FileInputStream(credPath));
sourceCredentials = (ServiceAccountCredentials) sourceCredentials
.createScoped(Arrays.asList("https://www.googleapis.com/auth/iam"));
ImpersonatedCredentials targetCredentials = ImpersonatedCredentials.create(sourceCredentials,
"impersonated-account@project.iam.gserviceaccount.com", null,
Arrays.asList("https://www.googleapis.com/auth/devstorage.read_only"), 300);
Storage storage_service = StorageOptions.newBuilder().setProjectId("project-id")
.setCredentials(targetCredentials).build().getService();
for (Bucket b : storage_service.list().iterateAll())
System.out.println(b); Workload Identity FederationUsing workload identity federation, your application can access Google Cloud resources from Amazon Web Services (AWS), Microsoft Azure, or any identity provider that supports OpenID Connect (OIDC). Traditionally, applications running outside Google Cloud have used service account keys to access Google Cloud resources. Using identity federation, your workload can impersonate a service account. This lets the external workload access Google Cloud resources directly, eliminating the maintenance and security burden associated with service account keys. Accessing resources from AWSIn order to access Google Cloud resources from Amazon Web Services (AWS), the following requirements are needed:
Follow the detailed instructions on how to configure workload identity federation from AWS. After configuring the AWS provider to impersonate a service account, a credential configuration file needs to be generated. Unlike service account credential files, the generated credential configuration file contains non-sensitive metadata to instruct the library on how to retrieve external subject tokens and exchange them for service account access tokens. The configuration file can be generated by using the gcloud CLI. To generate the AWS workload identity configuration, run the following command: # Generate an AWS configuration file.
gcloud iam workload-identity-pools create-cred-config \
projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$AWS_PROVIDER_ID \
--service-account $SERVICE_ACCOUNT_EMAIL \
--aws \
--output-file /path/to/generated/config.json Where the following variables need to be substituted:
This generates the configuration file in the specified output file. If you are using AWS IMDSv2, an additional flag gcloud iam workload-identity-pools create-cred-config \
projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$AWS_PROVIDER_ID \
--service-account $SERVICE_ACCOUNT_EMAIL \
--aws \
--output-file /path/to/generated/config.json \
--enable-imdsv2 You can now use the Auth library to call Google Cloud resources from AWS. Access resources from Microsoft AzureIn order to access Google Cloud resources from Microsoft Azure, the following requirements are needed:
Follow the detailed instructions on how to configure workload identity federation from Microsoft Azure. After configuring the Azure provider to impersonate a service account, a credential configuration file needs to be generated. Unlike service account credential files, the generated credential configuration file contains non-sensitive metadata to instruct the library on how to retrieve external subject tokens and exchange them for service account access tokens. The configuration file can be generated by using the gcloud CLI. To generate the Azure workload identity configuration, run the following command: # Generate an Azure configuration file.
gcloud iam workload-identity-pools create-cred-config \
projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$AZURE_PROVIDER_ID \
--service-account $SERVICE_ACCOUNT_EMAIL \
--azure \
--output-file /path/to/generated/config.json Where the following variables need to be substituted:
This generates the configuration file in the specified output file. You can now use the Auth library to call Google Cloud resources from Azure. Accessing resources from an OIDC identity providerIn order to access Google Cloud resources from an identity provider that supports OpenID Connect (OIDC), the following requirements are needed:
Follow the detailed instructions on how to configure workload identity federation from an OIDC identity provider. After configuring the OIDC provider to impersonate a service account, a credential configuration file needs to be generated. Unlike service account credential files, the generated credential configuration file contains non-sensitive metadata to instruct the library on how to retrieve external subject tokens and exchange them for service account access tokens. The configuration file can be generated by using the gcloud CLI. For OIDC providers, the Auth library can retrieve OIDC tokens either from a local file location (file-sourced credentials) or from a local server (URL-sourced credentials). File-sourced credentials For file-sourced credentials, a background process needs to be continuously refreshing the file location with a new OIDC token prior to expiration. For tokens with one hour lifetimes, the token needs to be updated in the file every hour. The token can be stored directly as plain text or in JSON format. To generate a file-sourced OIDC configuration, run the following command: # Generate an OIDC configuration file for file-sourced credentials.
gcloud iam workload-identity-pools create-cred-config \
projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$OIDC_PROVIDER_ID \
--service-account $SERVICE_ACCOUNT_EMAIL \
--credential-source-file $PATH_TO_OIDC_ID_TOKEN \
# Optional arguments for file types. Default is "text":
# --credential-source-type "json" \
# Optional argument for the field that contains the OIDC credential.
# This is required for json.
# --credential-source-field-name "id_token" \
--output-file /path/to/generated/config.json Where the following variables need to be substituted:
This generates the configuration file in the specified output file. URL-sourced credentials For URL-sourced credentials, a local server needs to host a GET endpoint to return the OIDC token. The response can be in plain text or JSON. Additional required request headers can also be specified. To generate a URL-sourced OIDC workload identity configuration, run the following command: # Generate an OIDC configuration file for URL-sourced credentials.
gcloud iam workload-identity-pools create-cred-config \
projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$OIDC_PROVIDER_ID \
--service-account $SERVICE_ACCOUNT_EMAIL \
--credential-source-url $URL_TO_GET_OIDC_TOKEN \
--credential-source-headers $HEADER_KEY=$HEADER_VALUE \
# Optional arguments for file types. Default is "text":
# --credential-source-type "json" \
# Optional argument for the field that contains the OIDC credential.
# This is required for json.
# --credential-source-field-name "id_token" \
--output-file /path/to/generated/config.json Where the following variables need to be substituted:
You can now use the Auth library to call Google Cloud resources from an OIDC provider. Using Executable-sourced credentials with OIDC and SAMLExecutable-sourced credentials For executable-sourced credentials, a local executable is used to retrieve the 3rd party token. The executable must handle providing a valid, unexpired OIDC ID token or SAML assertion in JSON format to stdout. To use executable-sourced credentials, the To generate an executable-sourced workload identity configuration, run the following command: # Generate a configuration file for executable-sourced credentials.
gcloud iam workload-identity-pools create-cred-config \
projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$PROVIDER_ID \
--service-account=$SERVICE_ACCOUNT_EMAIL \
--subject-token-type=$SUBJECT_TOKEN_TYPE \
# The absolute path for the program, including arguments.
# e.g. --executable-command="/path/to/command --foo=bar"
--executable-command=$EXECUTABLE_COMMAND \
# Optional argument for the executable timeout. Defaults to 30s.
# --executable-timeout-millis=$EXECUTABLE_TIMEOUT \
# Optional argument for the absolute path to the executable output file.
# See below on how this argument impacts the library behaviour.
# --executable-output-file=$EXECUTABLE_OUTPUT_FILE \
--output-file /path/to/generated/config.json Where the following variables need to be substituted:
The The To retrieve the 3rd party token, the library will call the executable using the command specified. The executable's output must adhere to the response format specified below. It must output the response to stdout. A sample successful executable OIDC response: {
"version": 1,
"success": true,
"token_type": "urn:ietf:params:oauth:token-type:id_token",
"id_token": "HEADER.PAYLOAD.SIGNATURE",
"expiration_time": 1620499962
} A sample successful executable SAML response: {
"version": 1,
"success": true,
"token_type": "urn:ietf:params:oauth:token-type:saml2",
"saml_response": "...",
"expiration_time": 1620499962
} A sample executable error response: {
"version": 1,
"success": false,
"code": "401",
"message": "Caller not authorized."
} These are all required fields for an error response. The code and message fields will be used by the library as part of the thrown exception. For successful responses, the Response format fields summary:
All response types must include both the
The library will populate the following environment variables when the executable is run:
These environment variables can be used by the executable to avoid hard-coding these values. Security considerationsThe following security practices are highly recommended:
Given the complexity of using executable-sourced credentials, it is recommended to use the existing supported mechanisms (file-sourced/URL-sourced) for providing 3rd party credentials unless they do not meet your specific requirements. You can now use the Auth library to call Google Cloud resources from an OIDC or SAML provider. Workforce Identity FederationWorkforce identity federation lets you use an external identity provider (IdP) to authenticate and authorize a workforce—a group of users, such as employees, partners, and contractors—using IAM, so that the users can access Google Cloud services. Workforce identity federation extends Google Cloud's identity capabilities to support syncless, attribute-based single sign on. With workforce identity federation, your workforce can access Google Cloud resources using an external identity provider (IdP) that supports OpenID Connect (OIDC) or SAML 2.0 such as Azure Active Directory (Azure AD), Active Directory Federation Services (AD FS), Okta, and others. Accessing resources using an OIDC or SAML 2.0 identity providerIn order to access Google Cloud resources from an identity provider that supports OpenID Connect (OIDC), the following requirements are needed:
Follow the detailed instructions on how to configure workforce identity federation. After configuring an OIDC or SAML 2.0 provider, a credential configuration file needs to be generated. The generated credential configuration file contains non-sensitive metadata to instruct the library on how to retrieve external subject tokens and exchange them for GCP access tokens. The configuration file can be generated by using the gcloud CLI. The Auth library can retrieve external subject tokens from a local file location (file-sourced credentials), from a local server (URL-sourced credentials) or by calling an executable (executable-sourced credentials). File-sourced credentials For file-sourced credentials, a background process needs to be continuously refreshing the file location with a new subject token prior to expiration. For tokens with one hour lifetimes, the token needs to be updated in the file every hour. The token can be stored directly as plain text or in JSON format. To generate a file-sourced OIDC configuration, run the following command: # Generate an OIDC configuration file for file-sourced credentials.
gcloud iam workforce-pools create-cred-config \
locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID \
--subject-token-type=urn:ietf:params:oauth:token-type:id_token \
--credential-source-file=$PATH_TO_OIDC_ID_TOKEN \
--workforce-pool-user-project=$WORKFORCE_POOL_USER_PROJECT \
# Optional arguments for file types. Default is "text":
# --credential-source-type "json" \
# Optional argument for the field that contains the OIDC credential.
# This is required for json.
# --credential-source-field-name "id_token" \
--output-file=/path/to/generated/config.json Where the following variables need to be substituted:
To generate a file-sourced SAML configuration, run the following command: # Generate a SAML configuration file for file-sourced credentials.
gcloud iam workforce-pools create-cred-config \
locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID \
--credential-source-file=$PATH_TO_SAML_ASSERTION \
--subject-token-type=urn:ietf:params:oauth:token-type:saml2 \
--workforce-pool-user-project=$WORKFORCE_POOL_USER_PROJECT \
--output-file=/path/to/generated/config.json Where the following variables need to be substituted:
These commands generate the configuration file in the specified output file. URL-sourced credentials For URL-sourced credentials, a local server needs to host a GET endpoint to return the OIDC token. The response can be in plain text or JSON. Additional required request headers can also be specified. To generate a URL-sourced OIDC workforce identity configuration, run the following command: # Generate an OIDC configuration file for URL-sourced credentials.
gcloud iam workforce-pools create-cred-config \
locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID \
--subject-token-type=urn:ietf:params:oauth:token-type:id_token \
--credential-source-url=$URL_TO_RETURN_OIDC_ID_TOKEN \
--credential-source-headers $HEADER_KEY=$HEADER_VALUE \
--workforce-pool-user-project=$WORKFORCE_POOL_USER_PROJECT \
--output-file=/path/to/generated/config.json Where the following variables need to be substituted:
To generate a URL-sourced SAML configuration, run the following command: # Generate a SAML configuration file for file-sourced credentials.
gcloud iam workforce-pools create-cred-config \
locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID \
--subject-token-type=urn:ietf:params:oauth:token-type:saml2 \
--credential-source-url=$URL_TO_GET_SAML_ASSERTION \
--credential-source-headers $HEADER_KEY=$HEADER_VALUE \
--workforce-pool-user-project=$WORKFORCE_POOL_USER_PROJECT \
--output-file=/path/to/generated/config.json These commands generate the configuration file in the specified output file. Where the following variables need to be substituted:
Using Executable-sourced workforce credentials with OIDC and SAMLExecutable-sourced credentials For executable-sourced credentials, a local executable is used to retrieve the 3rd party token. The executable must handle providing a valid, unexpired OIDC ID token or SAML assertion in JSON format to stdout. To use executable-sourced credentials, the To generate an executable-sourced workforce identity configuration, run the following command: # Generate a configuration file for executable-sourced credentials.
gcloud iam workforce-pools create-cred-config \
locations/global/workforcePools/ |
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论