1 /* 2 * Copyright 2022 Google Inc. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 // [auth_cloud_idtoken_impersonated_credentials] 18 19 import com.google.auth.oauth2.GoogleCredentials; 20 import com.google.auth.oauth2.IdTokenCredentials; 21 import com.google.auth.oauth2.IdTokenProvider.Option; 22 import com.google.auth.oauth2.ImpersonatedCredentials; 23 import java.io.IOException; 24 import java.util.Arrays; 25 import java.util.List; 26 27 public class IdTokenFromImpersonatedCredentials { 28 main(String[] args)29 public static void main(String[] args) throws IOException { 30 // TODO(Developer): Replace the below variables before running the code. 31 32 // Provide the scopes that you might need to request to access Google APIs, 33 // depending on the level of access you need. 34 // This example uses the cloud-wide scope and uses IAM to narrow the permissions. 35 // https://cloud.google.com/docs/authentication/external/authorization-gcp 36 // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes 37 String scope = "https://www.googleapis.com/auth/cloud-platform"; 38 39 // The service name for which the id token is requested. 40 String targetAudience = "https://example.com"; 41 42 // The name of the privilege-bearing service account for whom the credential is created. 43 String impersonatedServiceAccount = "name@project.service.gserviceaccount.com"; 44 45 getIdTokenUsingOAuth2(impersonatedServiceAccount, scope, targetAudience); 46 } 47 48 // Use a service account (SA1) to impersonate as another service account (SA2) and obtain id token 49 // for the impersonated account. 50 // To obtain token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator" permission 51 // on SA2. getIdTokenUsingOAuth2( String impersonatedServiceAccount, String scope, String targetAudience)52 public static void getIdTokenUsingOAuth2( 53 String impersonatedServiceAccount, String scope, String targetAudience) throws IOException { 54 55 // Construct the GoogleCredentials object which obtains the default configuration from your 56 // working environment. 57 GoogleCredentials googleCredentials = GoogleCredentials.getApplicationDefault(); 58 59 // delegates: The chained list of delegates required to grant the final accessToken. 60 // For more information, see: 61 // https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-permissions 62 // Delegate is NOT USED here. 63 List<String> delegates = null; 64 65 // Create the impersonated credential. 66 ImpersonatedCredentials impersonatedCredentials = 67 ImpersonatedCredentials.create( 68 googleCredentials, impersonatedServiceAccount, delegates, Arrays.asList(scope), 300); 69 70 // Set the impersonated credential, target audience and token options. 71 IdTokenCredentials idTokenCredentials = 72 IdTokenCredentials.newBuilder() 73 .setIdTokenProvider(impersonatedCredentials) 74 .setTargetAudience(targetAudience) 75 // Setting this will include email in the id token. 76 .setOptions(Arrays.asList(Option.INCLUDE_EMAIL)) 77 .build(); 78 79 // Get the ID token. 80 // Once you've obtained the ID token, you can use it to make an authenticated call to the 81 // target audience. 82 String idToken = idTokenCredentials.refreshAccessToken().getTokenValue(); 83 System.out.println("Generated ID token."); 84 } 85 } 86 // [auth_cloud_idtoken_impersonated_credentials] 87