Package org.springframework.vault.authentication

Class GcpIamCredentialsAuthentication

java.lang.Object

org.springframework.vault.authentication.GcpJwtAuthenticationSupport

org.springframework.vault.authentication.GcpIamCredentialsAuthentication

All Implemented Interfaces:

ClientAuthentication

public class GcpIamCredentialsAuthentication
extends GcpJwtAuthenticationSupport
implements ClientAuthentication

Google Cloud IAM credentials login implementation using GCP IAM service accounts to legitimate its authenticity via JSON Web Token using the IAM Credentials projects.serviceAccounts.signJwt method.

This authentication method uses Googles IAM Credentials API to obtain a signed token for a specific Credential. Service account details are obtained from a GoogleCredentials that can be retrieved either from a JSON file or the runtime environment (GAE, GCE).

GcpIamCredentialsAuthentication uses Google Java API that uses synchronous API.

Since:

2.3.2

Author:

Andreas Gebauer, Mark Paluch

See Also:

• GcpIamCredentialsAuthenticationOptions
• HttpTransport
• GoogleCredentials
• GoogleCredentials.getApplicationDefault()
• RestOperations
• Auth Backend: gcp (IAM)
• GCP: projects.serviceAccounts.signJwt

Constructor Summary

Constructors

Constructor	Description
GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options, RestOperations restOperations)	Create a new instance of GcpIamCredentialsAuthentication given GcpIamCredentialsAuthenticationOptions and RestOperations.
GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options, RestOperations restOperations, com.google.api.gax.rpc.TransportChannelProvider transportChannelProvider)	Create a new instance of GcpIamCredentialsAuthentication given GcpIamCredentialsAuthenticationOptions, RestOperations and TransportChannelProvider.

Method Summary

Modifier and Type	Method	Description
VaultToken	login()	Return a VaultToken.
protected String	signJwt()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

GcpIamCredentialsAuthentication

public GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options,
 RestOperations restOperations)

Create a new instance of GcpIamCredentialsAuthentication given GcpIamCredentialsAuthenticationOptions and RestOperations. This constructor initializes InstantiatingGrpcChannelProvider for Google API usage.

Parameters:

options - must not be null.

restOperations - HTTP client for Vault login, must not be null.

GcpIamCredentialsAuthentication

public GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options,
 RestOperations restOperations,
 com.google.api.gax.rpc.TransportChannelProvider transportChannelProvider)

Create a new instance of GcpIamCredentialsAuthentication given GcpIamCredentialsAuthenticationOptions, RestOperations and TransportChannelProvider.

Parameters:

options - must not be null.

restOperations - HTTP client for Vault login, must not be null.

transportChannelProvider - Provider for transport channel Google API use, must not be null.

Method Details

login

public VaultToken login()
                 throws VaultException

Description copied from interface: ClientAuthentication

Return a VaultToken. This method can optionally log into Vault to obtain a token.

Specified by:

login in interface ClientAuthentication

Returns:

a VaultToken.

Throws:

VaultException

signJwt

protected String signJwt()